- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-30-2014 09:02 PM
Hey guys,
As I'm sure most of us are, I'm seeing a huge string of issues related to Cryptolocker lately.
I've reviewed the several articles floating around on how Palo Alto units deal with this, the fact is I'm seeing spam emails get through encouraging users to download executables which always come up as clean as far as PA's build in AV goes. Wildfire does appear to have a very successful history for us of identifying these infections. However, an alert is often proceeded immediately with an outbreak, at which point it's too late.
What options may exist here? Given the recent scale of damage, most users would be happy wait a minute while a download is sandboxed before being made available to them, in fact there are competing products already doing that just to run traditional AV. I'm sure this has already been considered, but given the huge scale of the threat, I'd like to around regarding whether I'm missing something, or whether there's any possible way of scripting this to produce the desired effect.
11-30-2014 11:11 PM
this cannot be done with a script I think.Solution is, use TRAPS.
12-01-2014 05:54 AM
I agree with panos, that TRAPS could be your answer. Not knowing your environment but you may want to consider users not being able to download .exes (have AD group for exceptions to the rule) or blocking .exes with a spam gateway.But at the end of the day TRAPS might be your answer.
12-01-2014 08:25 AM
6.1 has URL inspection in WF so smtp messages with malicous URL links should be identified. WildFire Email Link Analysis
In addition block outbound to URL category Malware if you haven't done so already enable fwding of 'email-link'. Not all but most of the domains that WF picks up gets added to the malware category.
Another brute force approach would be to limit downloads of PE's with a captive portal.
Also think defense in depth so don't rely 100% on the peremieter fw's and yes TRAPS may help you here as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!