This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to block malware getting executed?.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to block malware getting executed?.

Go to solution
Raja3000
L0 Member

‎01-13-2020 04:30 AM

I would like to block malware files. On my gateway firewall, what filetypes should I block? . If I block only exe/DLL files getting dowloaded, will it help to avoid final malware getting executed ?  What I would like to understand is, even if I allow communication with Command and Control (C2) servers, if I block executable/dll files, will it really block malware ultimate purpose?. Final payload will be only executable like exe/dll?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎01-13-2020 09:21 AM

Hello,

Unfortunately this is a complicated answer. The best defense is a multi-layered one. While the PAN is a great platform, it should not be the only defense you have. I always tell folks the following:

  • Use a secure DNS provider such as OpenDNS, TitanHQ, or Quad9. Even PAN has one now.
  • Secure your boarder, i.e. use a PAN and configure all options, App/Threat, Wildfire/ etc.
    • Block all non-essential inbount traffic with Layer7
    • Block all outbound non-esesntial traffic with layer7, URL filtering, ssl decryption, etc.
  • on the endpoint:
    • Use an next gen AV product, i.e. Traps, FireAmp, etc.
    • Get logging and telemetry from the endpoint, FireAMP has this built it, CB Response is another
  • Segment your network, zero-trust is a great option.
  • Get Netflow data
  • Use a SIEM to bring all logs together for analysis
    • ELK has been doing great work in this area, they have a SIEM module now.
  • TEST! 
    • make sure you are getting logging/blocking, etc!
    • Atomic RedTeam
    • MonkeyIsland
    • Nessus
  • Remember that security is not a destination, its a circular journey

I'm sure I might have missed some areas, so I'm interested in what others post as well.

View solution in original post

5 REPLIES 5

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎01-13-2020 09:21 AM

Hello,

Unfortunately this is a complicated answer. The best defense is a multi-layered one. While the PAN is a great platform, it should not be the only defense you have. I always tell folks the following:

  • Use a secure DNS provider such as OpenDNS, TitanHQ, or Quad9. Even PAN has one now.
  • Secure your boarder, i.e. use a PAN and configure all options, App/Threat, Wildfire/ etc.
    • Block all non-essential inbount traffic with Layer7
    • Block all outbound non-esesntial traffic with layer7, URL filtering, ssl decryption, etc.
  • on the endpoint:
    • Use an next gen AV product, i.e. Traps, FireAmp, etc.
    • Get logging and telemetry from the endpoint, FireAMP has this built it, CB Response is another
  • Segment your network, zero-trust is a great option.
  • Get Netflow data
  • Use a SIEM to bring all logs together for analysis
    • ELK has been doing great work in this area, they have a SIEM module now.
  • TEST! 
    • make sure you are getting logging/blocking, etc!
    • Atomic RedTeam
    • MonkeyIsland
    • Nessus
  • Remember that security is not a destination, its a circular journey

I'm sure I might have missed some areas, so I'm interested in what others post as well.

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎01-13-2020 10:08 AM

Also configure the DNS sinkhole under the Anti spyware profile.

Rest mostly Okta covered.

MP

Help the community: Like helpful comments and mark solutions.

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to MP18

‎01-13-2020 10:20 AM

There are also applications such as CB Protect that white list what can be run/executed on a work station. That way if its not on the white list, it wont execute.

 

0 Likes Likes

Go to solution
RobinClayton
L4 Transporter
In response to OtakarKlier

‎01-14-2020 01:22 AM

To elaborate on the above consider this scenario.

 

Your end user downloads a seemingly malignant file that the PA has no signature for [yet]. 

 

12 hours later that malignant file is found to have malicious payload and PA create a signature for it. So do Sophos, MacAfee, etc etc..

 

13 hours later it the file activates on your network. You don't have AV/Malware protection on the endpoints. 

 

14 hours later your packing your desk.....

 

So  as OtK points out, it's a multi layer approach. It's always best to block as close to "SOURCE" as possible, but there needs to be the extra layers and indeed different methods of detection, selecting products from differing vendors who may get an update to you quicker than  one of your others.

 

Rob

 

 

 

 

 

 

 

Go to solution
Raja3000
L0 Member
In response to OtakarKlier

‎01-15-2020 08:25 AM

Thanks OtakarKlier

0 Likes Likes
  • 1 accepted solution
  • 4837 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks