02-20-2026 12:45 AM
Attention: JAPAC TPM Team
Hello Team,
I have a question about the Anti-Spyware profile behavior in a Prisma Access (Explicit Proxy) environment.
Scenario
- Clients use Explicit Proxy to reach Prisma Access for web traffic.
- DNS resolution does not traverse Prisma Access (it is resolved by a local resolver / another path).
- An Anti-Spyware profile is attached to the relevant security policy.
- SSL decryption: enabled/disabled (please advise if this matters in this scenario).
Questions
1. When client DNS queries do not traverse Prisma Access, is it correct that Anti-Spyware detections would rely on payload-based signatures (and not DNS signatures / sinkhole)?
2. In such a case, should detections appear in the Threat log with subtype: spyware? Is there any difference in the logging behavior compared to DNS signature/sinkhole events?
3. I couldn’t find an official knowledge base article that specifically tests this scenario. Is there a recommended test methodology to validate Anti-Spyware behavior with Explicit Proxy when DNS is out‑of‑path?
Constraints
I currently don’t have access to a live traffic test environment, so any guidance, example steps, or references would be greatly appreciated.
Thank you in advance for your assistance.
