- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-13-2020 04:30 AM
I would like to block malware files. On my gateway firewall, what filetypes should I block? . If I block only exe/DLL files getting dowloaded, will it help to avoid final malware getting executed ? What I would like to understand is, even if I allow communication with Command and Control (C2) servers, if I block executable/dll files, will it really block malware ultimate purpose?. Final payload will be only executable like exe/dll?
01-13-2020 09:21 AM
Hello,
Unfortunately this is a complicated answer. The best defense is a multi-layered one. While the PAN is a great platform, it should not be the only defense you have. I always tell folks the following:
I'm sure I might have missed some areas, so I'm interested in what others post as well.
01-13-2020 09:21 AM
Hello,
Unfortunately this is a complicated answer. The best defense is a multi-layered one. While the PAN is a great platform, it should not be the only defense you have. I always tell folks the following:
I'm sure I might have missed some areas, so I'm interested in what others post as well.
01-13-2020 10:08 AM
Also configure the DNS sinkhole under the Anti spyware profile.
Rest mostly Okta covered.
01-13-2020 10:20 AM
There are also applications such as CB Protect that white list what can be run/executed on a work station. That way if its not on the white list, it wont execute.
01-14-2020 01:22 AM
To elaborate on the above consider this scenario.
Your end user downloads a seemingly malignant file that the PA has no signature for [yet].
12 hours later that malignant file is found to have malicious payload and PA create a signature for it. So do Sophos, MacAfee, etc etc..
13 hours later it the file activates on your network. You don't have AV/Malware protection on the endpoints.
14 hours later your packing your desk.....
So as OtK points out, it's a multi layer approach. It's always best to block as close to "SOURCE" as possible, but there needs to be the extra layers and indeed different methods of detection, selecting products from differing vendors who may get an update to you quicker than one of your others.
Rob
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!