I currently have a generic rule which blocks netbios-like traffic to and from internet with a simple deny. As this traffic is very likely to be malware generated (at least in my context) I have enabled a simple alert-only antivirus profile on that rule, but I don't get any entries in the thread logs. On the other hand, when I turn the rule to be accept instead of deny, threads logs is filed with virus alert.
So, does the deny has precedence over the antivurs profile, dicarding the paket before it has a chance to be analysed ?
If so, what can I do to achieve the what I described ?
If your security rule is blocking by port number then the traffic will probably be dropped before any type of application ID can be done or threat can be detected. If you are blocking by application signature then you will see the application in the traffic log, but the packets are being dropped before any threat can come through. In other words, you are seeing the application session initiation but no payload.
A rule of thumb is to never turn on any profiles for a deny rule. There is no need since the packets are dropped by policy and not inspected any further. Profiles are only useful for allowed traffic.
Thank you for this quick answer, this is indeed what I had deduced too.
So is there a way to achieve this ? We are already generating an "odd behavioured machines" repport on allowed trafic, but having also the denied one would make this repport muich more usefull.
Any thoughts ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!