Malware Site blocking: 94.102.55.20

cancel
Showing results for 
Search instead for 
Did you mean: 

Malware Site blocking: 94.102.55.20

L1 Bithead

Hello forum,

I am seeing traffic to a particular IP address from one computer that I know has been infected with a virus (we're busy getting rid of it). The connection is SSL and we are about to implement SSL decryption on our Palo, just not this second. The hoster of the IP address is Ecatel who are synonymous with with malwares. We have a valid license for threat, url, av which is uptodate on the box. I am wondering why it's not being blocked as dangerous even though our security profiles are basically set to block for anything 'medium' and higher. Because it's SSL it's not being categorised which isn't helpful - is that the reason why it's not being stopped? Brightcloud list it as unsafe. Any ideas of how to get a block on this that is more dynamic than just that one IP address (that might change) would be great.

Destination is 94.102.55.20

Can post more info if you need,

Thanks,

NC

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Hi NC,

If you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.

Also in the ticket description if you can give a brief description of threat.

Here is the document on how you to collect the data  ( threat log details collection in the doc below would not apply in your case)

https://live.paloaltonetworks.com/docs/DOC-2769

Regards

Parth

View solution in original post

2 REPLIES 2

L4 Transporter

Hi NC,

If you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.

Also in the ticket description if you can give a brief description of threat.

Here is the document on how you to collect the data  ( threat log details collection in the doc below would not apply in your case)

https://live.paloaltonetworks.com/docs/DOC-2769

Regards

Parth

View solution in original post

L6 Presenter

You said that this is an SSL site. How are you trying to block this ? Are you using URL filtering to block malware-sites category ? If that is the case then we should be blocking it based on the SSL certificate common name. I also see that you are using the antivirus profiles to block this virus then you have to go for SSL decryption option. Please share some information on what is the website URL, how you are trying to block this (Antivirus or URL filtering).

Thanks,

Sandeep

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!