08-21-2013 11:38 AM
Hey everyone, sorry if this was posted before and missed it in searching.
I am receiving an enormous number of alerts from Wildfire, due to an internal application that our desktop engineering created. Its more or less is just an exe that creates short cuts to our internal HR portal, which Wildfire believes to be malware.
What I am looking for is a way that I can still continue to send up all PE files to Wildfire, but create an exception list of items that are known to be good, or can be flagged as benign like a trusted file. I am sure that I will run across this more and more, as we do a lot of custom packaging in our environment.
Any help would be appreciated.
Thanks
Jeremy
09-09-2013 08:48 AM
Here is what I ended up doing to fix my situation.
1. Created an Address Group for my app deployment servers that were deploying the app.
2. Created 2 security rules in the "Pre" device rules, 1 rule for the app deployment servers as a source and 2nd rule as the app deployment servers as the destinations.
3. Did not associate the rules to a File Blocking profile, so no files coming from these servers get forwarded to Wildfire.
This seems to be working like a charm, and no further alerts.
08-21-2013 06:24 PM
HI,
Please collect threat ID from the PA firewall logs, which is generated by the PA due to that EXE file and PA firewall believes as a malware.
1. Put that ID and search under "Exceptions" TAB
2. Set appropriate action for it.
3. OK and commit the changes.
Example: Re: Adding Threat Exceptions
Still no way to set SPECIFIC threat exceptions???
Re: Threat exception for selected hosts
Do I Understand Profile Exceptions?
For more info about wildfire, please follow below mentioned document.
Threat Prevention Deployment Tech Note
Thanks
08-22-2013 05:22 AM
HULK thank you for the information. From what I am seeing in the threat logs, the ID is unique to each exception, and cannot possibly capture each one in a single exception. Can you provide a bit more detail on the Threat ID, to ensure I am looking at the right information?
Thanks
09-09-2013 08:48 AM
Here is what I ended up doing to fix my situation.
1. Created an Address Group for my app deployment servers that were deploying the app.
2. Created 2 security rules in the "Pre" device rules, 1 rule for the app deployment servers as a source and 2nd rule as the app deployment servers as the destinations.
3. Did not associate the rules to a File Blocking profile, so no files coming from these servers get forwarded to Wildfire.
This seems to be working like a charm, and no further alerts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
