03-27-2018 06:02 AM
Hello,
Quick question for a specific URL (cia.toh.info) This URL is classified as malware in PAN-DB but doesn't show ip in the AV release notes as a malware site so it doesn't get sinkholed when we do a DNS lookup for that url. We've noticed other URLs exhibiting the same behavior.
Has anyone else seen this? Is there a disconnect between the PAN-DB classification and the AV (sinkhole) database?
Thanks.
03-27-2018 06:33 AM
Hi @epeeler
These two sources aren't in sync completely. This domain was sinkholed with a WF update from 20160505. Some time after that the domain was removed from the dns signatures. This needs to be done over time, when it is "safe" to remove it. The list of dns signatures would simply be too big for the firewalls to handle if it would contain ALL malware domains from PAN-DB. For the dns signatures there is no cloud lookup like with PAN-DB.
@reaper: Do you agree?
Regards,
Remo
03-27-2018 06:33 AM
Hi @epeeler
These two sources aren't in sync completely. This domain was sinkholed with a WF update from 20160505. Some time after that the domain was removed from the dns signatures. This needs to be done over time, when it is "safe" to remove it. The list of dns signatures would simply be too big for the firewalls to handle if it would contain ALL malware domains from PAN-DB. For the dns signatures there is no cloud lookup like with PAN-DB.
@reaper: Do you agree?
Regards,
Remo
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
