This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Known Malware passing through PA to Client

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Known Malware passing through PA to Client

Go to solution
Bvance
L2 Linker

‎06-07-2012 12:43 PM

Hello PAN,

Today I had a client get infected with the "Windows Privacy Module" Fake AV, This wasn't cought by either PAN OS or Trend Micro while a MalwareBytes scan found it and removed it no problem. Is there something more I can do to increase the odds of my PA SG in catching these? I do keep th AV software up to date along with the PAN OS and I do have the Security profile on all ingress traffic set to block.

Thanks,

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
mikand
L6 Presenter
In response to Bvance

‎06-08-2012 11:27 AM

Thats incorrect.

You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).

This CA-cert (for ssl-termination) can be created by using the openssl binary.

However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
UhMayYeah
L5 Sessionator

‎06-07-2012 12:55 PM

This looks like a false-negative  bypassing PAN-OS firewall.Please open a support case providing following info.

(1) samples  pcaps
(2) Reference URL /Links etc.  associated with the Virus.

Refer : https://live.paloaltonetworks.com/docs/DOC-1283   for future references.

Thanks ,

Ameya

Go to solution
mikand
L6 Presenter
In response to UhMayYeah

‎06-07-2012 01:39 PM

As a sidenote you could also enable ssl decryption in order to be able to inspect also https traffic. Along with (if possible) block .exe and other filetypes from being downloadable by the clients. And to top it off you could enable url categorization and block follow categories:

Keyloggers and Monitoring

Malware sites

Spyware and Adware

Go to solution
Bvance
L2 Linker
In response to mikand

‎06-08-2012 05:21 AM

Thanks, I'll give these a shot.

0 Likes Likes

Go to solution
Bvance
L2 Linker
In response to mikand

‎06-08-2012 07:32 AM

From what I have been reading on inbound SSL decryption it looks like we would have to have our own Microsoft certificate server. Is this correct?

Thanks,

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to Bvance

‎06-08-2012 11:27 AM

Thats incorrect.

You need to install a selfsigned CA-cert (along with its private key) in your PA device and then install the public key as "trusted CA" in your clients browsers (if you have an AD you can push this CA public key through GPO).

This CA-cert (for ssl-termination) can be created by using the openssl binary.

However - depending on your company regulations regarding certs and stuff and specially if you already have a PKI infrastructure then I would use the PKI environment to create either a new CA or an intermediate CA to be used in your PA.

0 Likes Likes
  • 1 accepted solution
  • 2890 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks