Known Malware passing through PA to Client
cancel
Showing results for 
Search instead for 
Did you mean: 

Known Malware passing through PA to Client

L2 Linker

Hello PAN,

Today I had a client get infected with the "Windows Privacy Module" Fake AV, This wasn't cought by either PAN OS or Trend Micro while a MalwareBytes scan found it and removed it no problem. Is there something more I can do to increase the odds of my PA SG in catching these? I do keep th AV software up to date along with the PAN OS and I do have the Security profile on all ingress traffic set to block.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

Thats incorrect.

You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).

This CA-cert (for ssl-termination) can be created by using the openssl binary.

However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.

View solution in original post

5 REPLIES 5

L5 Sessionator

This looks like a false-negative  bypassing PAN-OS firewall.Please open a support case providing following info.

(1) samples  pcaps
(2) Reference URL /Links etc.  associated with the Virus.

Refer : https://live.paloaltonetworks.com/docs/DOC-1283   for future references.

Thanks ,

Ameya

As a sidenote you could also enable ssl decryption in order to be able to inspect also https traffic. Along with (if possible) block .exe and other filetypes from being downloadable by the clients. And to top it off you could enable url categorization and block follow categories:

Keyloggers and Monitoring

Malware sites

Spyware and Adware

Thanks, I'll give these a shot.

From what I have been reading on inbound SSL decryption it looks like we would have to have our own Microsoft certificate server. Is this correct?

Thanks,

Thats incorrect.

You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).

This CA-cert (for ssl-termination) can be created by using the openssl binary.

However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!