Mail attachment virus scanning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mail attachment virus scanning

L4 Transporter

How can I implement proper mail attachment virus scanning ?

For incoming mail, I have an antivirus security profile in place that should block virusses (smtp decoder), nothing fancy really:

I notice that the PA doesn't filter attached virusses too well. Luckily (as is best practice) I have several layers of antivirus protection for mail:

external spam filter --- firewall --- (spamfilter in DMZ; spam only) --- antivirus on internal mailserver --- endpoint antivirus + Outlook attachment filter

So virus infected mails usually don't reach the user. However, I think it's better that they are identified and blocked at an early stage, which is not the case now. The firewall plays an important role here, I feel.

I feel like PA antivirus doesn't do smtp antivirus very well. E.g. none of the test virus/spam mails from Free Email Security Check were blocked by the PA.

What can I do to improve on this ? Or is PA just not up to the task ?

10 REPLIES 10

L5 Sessionator

Hi dieterb,

I was wondering whether the PANFW isn't screening the mails for the attachments at all. Can you show us the screenshot of the security rule where this profile has been configured under.

The link below also describes the best practices for Threat Prevention

https://live.paloaltonetworks.com/docs/DOC-3094

The pages 19 through 22 explain about how to configure the anitvirus feature.

I suggest taking a look at these settings as well mentioned under this document.

Thanks and best regards,

Karthik RP

Nothing fancy in the rule:

I've browsed through the pages you suggested (haven't had time yet to review the entire document), but nothing obvious that suggests my config is wrong...

Message was edited by: Dieter Bulcke

L4 Transporter

Can the message format the SMTP mail is presented to us be a reason the PA doesn't "see" the attachments ?

L5 Sessionator

AV scanning for the Email attachments is supported.

If the SMTP connection is over SSL ,you  need to implement SSL-Decryption on the PAN-OS firewall to scan the clear-text  traffic.

Plain standard unencrypted SMTP, so no decryption necessary for content inspection.

Make sure the firewall is installed with latest Antivirus version -1046-1457.

If the traffic logs show Email traffic matching the security rule Allow-In_Mail and no Threat logs are generated ,open a case with Support.

#As an additional step, you can associate a  File-Blocking profile with this rule and monitor the Wildfire logs.

It didn't update to the latest antivirus yet, but that should not be the issue, right ? Virusses in other traffic is detected fine.

I checked earlier, incoming mail passes the right rule.

No wildfire subscription.

I'll open (yet another, almost weekly now) ticket with support.

Hi,

i am using SMTP connection over SSL.

How can I implement SSL Decryption  for SMTP?

The below document could be helpful :

How to Implement SSL Decryption

Thanks

L4 Transporter

Bringing back an old thread:

We had some cryptolocker recently. Mail containting a zip.

although the antivirus definitions know of the specific variant, the firewall will not block them in SMTP traffic.

What are the limits for STMP attachment scanning regarding to compressed files ?

  • 7296 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!