06-07-2012 12:43 PM
Today I had a client get infected with the "Windows Privacy Module" Fake AV, This wasn't cought by either PAN OS or Trend Micro while a MalwareBytes scan found it and removed it no problem. Is there something more I can do to increase the odds of my PA SG in catching these? I do keep th AV software up to date along with the PAN OS and I do have the Security profile on all ingress traffic set to block.
06-08-2012 11:27 AM
You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).
This CA-cert (for ssl-termination) can be created by using the openssl binary.
However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.
06-07-2012 12:55 PM
(1) samples pcaps
(2) Reference URL /Links etc. associated with the Virus.
Refer : https://live.paloaltonetworks.com/docs/DOC-1283 for future references.
06-07-2012 01:39 PM
As a sidenote you could also enable ssl decryption in order to be able to inspect also https traffic. Along with (if possible) block .exe and other filetypes from being downloadable by the clients. And to top it off you could enable url categorization and block follow categories:
Keyloggers and Monitoring
Spyware and Adware
06-08-2012 05:21 AM
Thanks, I'll give these a shot.
06-08-2012 07:32 AM
From what I have been reading on inbound SSL decryption it looks like we would have to have our own Microsoft certificate server. Is this correct?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!