This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Wildfire options

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Wildfire options

daraco
L0 Member

‎11-30-2014 09:02 PM

Hey guys,

As I'm sure most of us are, I'm seeing a huge string of issues related to Cryptolocker lately.

I've reviewed the several articles floating around on how Palo Alto units deal with this, the fact is I'm seeing spam emails get through encouraging users to download executables which always come up as clean as far as PA's build in AV goes. Wildfire does appear to have a very successful history for us of identifying these infections. However, an alert is often proceeded immediately with an outbreak, at which point it's too late.

What options may exist here? Given the recent scale of damage, most users would be happy wait a minute while a download is sandboxed before being made available to them, in fact there are competing products already doing that just to run traditional AV. I'm sure this has already been considered, but given the huge scale of the threat, I'd like to around regarding whether I'm missing something, or whether there's any possible way of scripting this to produce the desired effect.

Labels:
0 Likes Likes
3 REPLIES 3

panos
L6 Presenter

‎11-30-2014 11:11 PM

this cannot be done with a script I think.Solution is, use TRAPS.

lewis
L4 Transporter

‎12-01-2014 05:54 AM

I agree with panos, that TRAPS could be your answer. Not knowing your environment but you may want to consider users not being able to download .exes (have AD group for exceptions to the rule) or blocking .exes with a spam gateway.But at the end of the day TRAPS might be your answer.

jkim2
L3 Networker

‎12-01-2014 08:25 AM

6.1 has URL inspection in WF so smtp messages with malicous URL links should be identified. WildFire Email Link Analysis

In addition block outbound to URL category Malware if you haven't done so already enable fwding of 'email-link'. Not all but most of the domains that WF picks up gets added to the malware category.

Another brute force approach would be to limit downloads of PE's with a captive portal.

Also think defense in depth so don't rely 100% on the peremieter fw's and yes TRAPS may help you here as well.

  • 2643 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks