Wildfire options

Reply
Highlighted
L0 Member

Wildfire options

Hey guys,

As I'm sure most of us are, I'm seeing a huge string of issues related to Cryptolocker lately.

I've reviewed the several articles floating around on how Palo Alto units deal with this, the fact is I'm seeing spam emails get through encouraging users to download executables which always come up as clean as far as PA's build in AV goes. Wildfire does appear to have a very successful history for us of identifying these infections. However, an alert is often proceeded immediately with an outbreak, at which point it's too late.

What options may exist here? Given the recent scale of damage, most users would be happy wait a minute while a download is sandboxed before being made available to them, in fact there are competing products already doing that just to run traditional AV. I'm sure this has already been considered, but given the huge scale of the threat, I'd like to around regarding whether I'm missing something, or whether there's any possible way of scripting this to produce the desired effect.

Highlighted
L6 Presenter

this cannot be done with a script I think.Solution is, use TRAPS.

Highlighted
L4 Transporter

I agree with panos, that TRAPS could be your answer. Not knowing your environment but you may want to consider users not being able to download .exes (have AD group for exceptions to the rule) or blocking .exes with a spam gateway.But at the end of the day TRAPS might be your answer.

Highlighted
L3 Networker

6.1 has URL inspection in WF so smtp messages with malicous URL links should be identified. WildFire Email Link Analysis

In addition block outbound to URL category Malware if you haven't done so already enable fwding of 'email-link'. Not all but most of the domains that WF picks up gets added to the malware category.

Another brute force approach would be to limit downloads of PE's with a captive portal.

Also think defense in depth so don't rely 100% on the peremieter fw's and yes TRAPS may help you here as well.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!