- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-15-2014 11:31 PM
We have a bunch of files that we created that we need to upload via ftp to a remote server through the PA.
The files trip the virus detector in the PA. Here's a syslog entry with some identifying information changed:
2014-06-16T15:22:31+10:00 10.84.1.33 [user warning] 22:31,000XXXXXXX,THREAT,virus,1,2014/06/16 15:22:25,10.84.20.250,50.28.93.0,0.0.0.0,0.0.0.0,I2E-ftp-rule-ftp,,,ftp,vsys1,Interior,External,ethernet1/2,ethernet1/1,mylog,2014/06/16 15:22:30,41521,1,36871,32182,0,0,0x0,tcp,deny,"myfile-06.06.0000-Beta-win64.exe",Virus/Win32.WGeneric.cpfjf(2455553),any,medium,client-to-server,236674,0x0,10.0.0.0-10.255.255.255,United States,0,
I scanned these files with several AV programs including clamav and I was able to upload it to virustotal (through the PA!) where it scanned completely clean.
If I turn off virus checking on our ftp rule then someone may be able to download files with viruses so I don't want to do that but we need these files uploaded.
How to do that?
06-16-2014 08:01 AM
Hello gmoss,
Instead turning off the AV scan for the entire rule, you can put a threat exception for that Threat ID (2455553) in the relevant AV profile.
Here is a document that explains the same:
How to Add a Threat Exceptions
Or you can also exempt the IP addresses for that threat, so that exception is applied to a particular set of source and destination IP addresses. This is more granular approach than the previous one:
How To Add Exempt IP Addresses From the Threat Monitor Logs
Hope that helps.
Thanks and regards,
Kunal Adak
06-16-2014 05:52 PM
Adding a threat exception means that if we ever get one of those we wouldn't be protected.
I want to be able to upload OK but have files tested on download.
Your answer, while helpful, doesn't answer the problem that we created these files and no-one else could find a virus in them.
I tried the "how to add exempt ip addresses" but it didn't work. I never get anything in the lower boxes and I never get an add button.
I created a new AV profile for this rule with this virus exempted from the list. But as I said, this won't protect us in the case someone tries to download a file that really has this virus.
06-16-2014 07:29 PM
Hello Gmoss,
Yes, you are correct. If you add a threat exception, that means, for the time being you wouldn't be protected. But, you always have an option to open a support case and provide detail information to modify the database in future release.
Secondly, there is no option to add exempt ip address on "Anti-Virus" profile. That option is avilable for "Vulnerability-profile".
FYI:
Hope this helps.
Thanks
06-17-2014 06:41 PM
It'd be good to open a support case but how do I do that? Every time I use this site everything has changed. When I try and make a support case I get redirected to salesforce.com and I have no login there.
06-17-2014 06:50 PM
Hello Gmoss,
If you have a valid support contact with PAN ,Please login into https://support.paloaltonetworks.com/ and go to Case-Management. There you can create a new support case.
OR
Please drop an email to support@paloaltonetworks.com.
Thanks
06-17-2014 07:54 PM
Like I said when I go there and click on case management I get redirected to a salesforce.com login page. I have no idea what to do then I have no salesforce login.
I finally got the redirect to work but I can't apparently log a case because my support has to go through another company.
06-18-2014 07:47 AM
When you click on the Case Management link, you should be taken to the following page.
Click on the New Case button to open a case.
If you still encounter issues, open a case by calling Support. Refer to Contact Us for Support phone numbers.
06-18-2014 08:05 AM
Support mechanism of PANW is rather simple - contact your reseller as he probably is your first line of support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!