I'm not really sure how to title this one but here goes :smileyhappy:
A great many of the links in cryptolocker/zeuss type stuff links to domains that are brand new, yet quite a few of them seem to be in PAN-DB in categories like "Shopping" or "Business and Economy".
If I go out tomorrow and register a domain, presumably at that point it's "Unknown".
What's the process by which it ends up in a given category in PANDB please?
As some examples of recent stuff.
If there is a new domain and PAN-DB database doesn't have that information, it will send a query to the cloud and cloud will update to the PAN FW'.
For example:If there is a new domain cretead today as abcd.com, immedeately the PAN firewall will categorize as "unknown", but as soon as it will send a query and get the correct category information it will update it's data-base.
Generally speaking, for non-malware related URLs, PAN-DB will crawl and categorize domains as we see them. This can happen either because our crawler has found a new site, someone has submitted a change request for an unknown site, or because a customer device queried our servers for that URL. As HULK mentioned above, once we see an unknown on our servers, we will put that in a prioritized queue for crawling and classification. Once we determine a category, it will get included in the next database refresh.
For malware domains, PAN-DB will categorize a URL/IP as malware as long as WildFire has associated it with malicious activity. Regarding the Cryptolocker lists published by the FBI/Infragard, we do subscribe to such lists, and we will create threat signatures around them, as well as feed the domains/IPs listed into PAN-DB. For those malware families that utilize DGAs, we will phase in DNS signatures as those domains go live (typically a few days before), and then disable them as they get taken down. In the past, once we disabled signatures, we also removed the corresponding entries in PAN-DB. Starting with the most recent InfraGard list (Cryptolocker/GameOverZeus), we started adding all domains at once to PAN-DB, and will keep them categorized as malware until otherwise notified.
As for your list of examples, I checked PAN-DB, and we currently categorize all of them as malware with the exception of the first two. If you have additional examples of URLs from the InfraGard list that is not categorized as malware, please send me a private message and I can check them for you and see what's going on.
Hi Doris, thanks for that really detailed reply - appreciate it :smileyhappy:
I guess I'm trying to understand how the two domains that weren't malware were classified as anything other than malware?
I'm not asking to criticise, I'm genuinely curious as there must be thousands if not more domains registered daily - I'd assumed they'd all go into "unknown" until some manual process happened?
You are correct. By default, any newly registered domain will be "unknown" in PAN-DB until we've taken a look at it - either manually by our analysts/threat team, or via our crawler (triggered on some event). Our threat team took a look at the list you sent, and they are from a non-critical list published by InfraGard recently. As mentioned, most of these have been included in PAN-DB already as "malware", but the two exceptions did not resolve, and thus were not included in PAN-DB.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!