12-22-2017 08:00 PM
The Palo Alto device is saying that a workstation on the network is querying the DNS server for some malicious URLs for some of the dates and some of the time.
Full scan using McAfee VSE, Microsoft Safety Scanner, Malwarebytes, Spybot, said no malware detected.
Using McAfee Getsusp I upload 40 suspicious and unknown files, analysed in McAfee lab – no malware detected. McAfee put these files under Virus Total, antivirus from 57 different vendors all say ‘clean’.
The log that says detection of malicious URL:
Receive Time | Threat/Content Type | Generate Time | Rule | Application | Virtual System | Source Zone | Destination Zone | Source Port | Destination Port | IP Protocol | Action | URL | Threat/Content Name | Category | Severity | Direction | |
12/3/2017 13:56 | spyware | 12/3/2017 13:56 | POC Alert All | dns | vsys1 | TapZone2 | TapZone2 | 55305 | 53 | udp | alert | P2P-Worm.palevo:brero.balkan-hosting.net(3839431) | any | medium | client-to-server | ||
12/3/2017 13:56 | spyware | 12/3/2017 13:56 | POC Alert All | dns | vsys1 | TapZone2 | TapZone2 | 55305 | 53 | udp | alert | Suspicious DNS Query (P2P-Worm.palevo:brero.balkan-hosting.net)(4022349) | any | medium | client-to-server | ||
12/3/2017 13:56 | spyware | 12/3/2017 13:56 | POC Alert All | dns | vsys1 | TapZone2 | TapZone2 | 55305 | 53 | udp | alert | P2P-Worm.palevo:brero.balkan-hosting.net(3839431) | any | medium | client-to-server | ||
12/3/2017 13:56 | spyware | 12/3/2017 13:56 | POC Alert All | dns | vsys1 | TapZone2 | TapZone2 | 55305 | 53 | udp | alert | Suspicious DNS Query (P2P-Worm.palevo:brero.balkan-hosting.net)(4022349) | any | medium | client-to-server |
I really don't know how to close this case. Who is right and how to prove either of the anti-malware wrong?
The workstation in question is a Windows 7 machine, the whole network is isolated (meaning no Internet access). The DNS server is Windows 2012, it is AD-integrated, no access to Internet. The workstation has McAfee VSE 8.8 and is definitions updated everyday. It also has McAfee HIPS, Solidcore, DLP and RSD.
12-22-2017 10:32 PM
If this is something that is happening repeatedly, you could use a tool like "Microsoft Message Analyzer" to try and map the process on the Windows 7 system making the DNS query for the suspicious domain.
- https://www.microsoft.com/en-us/download/details.aspx?id=44226 (download link)
- https://technet.microsoft.com/en-us/library/jj649776.aspx (operating guide)
I will say that the Microsoft Message Analyzer is a very powerful tool (translate: difficult to use). In fumbling around with it I was able to map a DNS lookup (mail server) to the requesting process (outlook.exe) - but don't ask me how I did it.
If anyone has a better method of mapping a client DNS lookup to a specific process, I'd love to hear about it. Good luck.
12-22-2017 10:59 PM
Thanks. I had actually used Microsoft Message Analyzer to try to capture any DNS query traffic but after 3 days of sniffing I wasn't able to capture anything, no dns query at all. So, there must be something I didn't do correctly or the software need something special action.
12-24-2017 02:46 PM
One thing that I would look at in the logs is what exactly the URL is that they are trying to access. I would say that most of the alerts that I recieve from this are generated by the user navigating to a website with less than perfect advertisement sources. If that doesn't work then Message Analyzer is probably your best bet, but it is a very very difficult tool to actually understand how to use.
If all else fails make the user use another machine temporarly, say a day or two, so that you can 'look' at their current machine. See if the alerts change to the new machine or not; that would at least tell you if it's something they are doing or if it's truly a machine action.
12-24-2017 07:43 PM
BPry,
From the log, I guess these are the URLs:
brero.balkan-hosting.net
banjalucke-ljepotice.ru
The enironment is isolated, the user won't be able to go Internet. Therefore it is unlikely that the user has access website that contains hiding malicious advertisements.
The machine is already put offline and user not using it. I am currently working on a virtual clone of the machine in my Hyper-V environment. So, far I can't find anything suspicious on the machine.
Is it that there is no possibility the Palo Alto device is generating false positives?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!