12-20-2016 04:01 AM - edited 12-20-2016 04:02 AM
Hi,
We recently had our FW setup by an external security company.
Yesterday we had a malicious email attack which got past our email scanning service. Although Wildfire identified the attachments as malicious, they were sent on to the recipients (around 500). Luckily our AV's heuristics blocked the execution of the powershell script on most clients and I am using the FW to identify those that connected to the compromised site to DL the payload.
I have checked and are Wildfire setup seems to be as per the below How To:
How to Enable WildFire to Block File with 'malicious' Verdict
The AV profile did have "drop" against WF SMTP which I have now changed to "reset-both" but I am unsure why this didnt stop the files getting through.
Any help in identifying where I am going wrong or how to troubleshoot would be greatly appreciated!
Thanks
12-20-2016 07:04 AM
As long as you are actually setup correctly then I imagine that this was the first sample that wildfire recieved. If you upload something completely new to wildfire it's possible that it already had been recieved by the time wildfire categorized it as malicious.
12-20-2016 07:20 AM - edited 12-20-2016 07:23 AM
To piggy back on @BPry just because WF said it was malicious if this was the first time the WF global enviornment it was an "unknown" which means your local appliance didn't have the hash of the file in its local DB and as such the file was passed along.
The "malicious" note of the file likely occurred minutes after the file was sent up for analysis. You potentialy were the unfortunate recipient to first send this file by the global WF enivornment, but the rest of us can thank you for now having that hash as a known bad.
--edit--
err...just looked at your screen shot, there was only a 3 second delta. So all of what I said didn't apply WF already knew the file was malicious.
12-20-2016 09:34 AM
Hi, thanks for the replies so far.
In the screenshot it states "alert" as the action (which it did in the log), I thought that this is expected as this would be passed onto the AV profile would then kick in and "reset-both" based of the WF settings in the AV profile?
Should I expect the action in the below WF analysis to state "reset-both"?
When looking at the AV monitoring, I see little activity... :(. We now have new variant of this being spammed at us, I would have thought the email scanning service we have to have started bouncing these by now!
Thanks
12-24-2016 04:01 AM
check your settings as instructed in this document to insure you have blocking for malicious setup everywhere you want it.
12-28-2016 02:35 AM
Hi Pulukas, thanks for taking a look.
Unfortunately, this is the guide I used and linked in my original post. I have everything setup as per the article but we have been having a number of files getting through.
I have since raised a ticket with Palo regarding this and the engineer I was talking to confirmed the settings were correct and couldn't see why the files were getting through 3 days after the hash had been identified.
It has therefore been escalated and I am now in the process of providing the various logs required for investigation.
I suspect that this issue is down to human error and there is some setting/policy somewhere which is causing this headache, I just hope it is sorted soon :).
I will let you know if I get a solution, as I noticed in the article you linked, other people were having similar issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
