07-16-2014 02:46 PM
Does anyone have a link to more information regarding this threat ID ?
I have searched PA's support site and the internet, and have had no luck.
Thanks!!
07-16-2014 02:54 PM
Hi Craig,
Blonde.crazytall.com is a malware site, when a user/spyware tried to do DNS lookup firewall just blocked DNS. Which in turn subsequent conversation. Let me know if this helps.
Please refer following document for more detail on log.
How to Create a Custom Report for Suspicious DNS Queries
Regards,
Hardik Shah
07-16-2014 03:00 PM
Thank you for the quick response.
Unfortunately, I do not fully understand your explanation.
07-16-2014 03:00 PM
Looks like there is an issue with the Test A Site database. I just ran this on the PA research center and it shows clean as computer category.
You should try to back trace the clients making the request for the site. They are likely infected with malware.
07-16-2014 03:04 PM
Hi Craig,
Firewall has inbuilt mechanism to block DNS request for malicious web sites.
So, lets say any user tries to access malicious website, which can damage network in future. In that case Firewall will block DNS query, so Connection will never be formed and Network is secure.
Moreover administrator get a log, so he can talk to user about malicious access. If user is unaware of such access then his machine is compromised. Let me know if this helps.
steven Bright cloud detects it as malicious, may be we can submit request for PAN-DB to correct category.
Regards,
Hardik Shah
07-16-2014 04:22 PM
hshah -- BrightCloud's categorization is likely incorrect. We've observed the crazytall domains being used to serve ads, which is perfectly legitimate. However, we've also observed malware connecting out to these domains. Thus, we do not categorize the domains as malicious, because they aren't; but we do categorize them as suspicious, because, as Steven Puluka indicated, accessing them may indicate malware on the endpoint.
That said, per Steven's submission to Test A Site, "Computer and Internet Info" probably isn't the best categorization. It's worth requesting a review of that, even if the optimal bucket isn't "Malware."
07-16-2014 04:27 PM
Hi Cblackmore,
If you think its a legitimate domain, than please submit a URL Category Change request to bright cloud. Follow bellow URL.
URL Categorization Change Request | Webroot BrightCloud
Once Bright cloud updates URL, firewall will no longer thinks it a malware domain and allow this legitimate traffic.
Regards,
Hardik Shah
07-16-2014 04:29 PM
Hello Craigmueller,
Virustotal thinks it as a malicious website, hence most likely bright cloud will not change category. If virustotal think it as a malware, than there is something wrong with the website. Please follow bellow link.
https://www.virustotal.com/en/domain/blonde.crazytall.com/information/
Regards,
Hardik Shah
07-16-2014 05:25 PM
The DNS signature exists for the reasons I stated earlier.
07-17-2014 09:32 AM
I don't think there is a categorization issue.
I was really just interested in more information regarding this threat ID.
If I am understanding everyone, this seems to be for pop-up ads or malware distribution?
If this is posted twice, I apologize. I previously responded, but no longer see it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
