02-04-2013 11:25 AM
Hi,
I've recently had a client who's PAN appliance failed to pick up a Zero-Day piece of malware that found it's way into their network via email.
We have wildfire configured correctly and it transpires they are using opportunistic TLS on their mail relay, the spammer had send the infected attachement using TLS so the Palo Alto had no hope of actually seeing the content.
Oddly the application appears as SMTP rather than TLS, i'm guessing because the first couple of packeta would have a clear text EHLO amongst other items, identifying the App as SMTP, TLS happens a little later in the SMTP session.
So, I tried an inbound SSL inspection rule, which would work for TLSv1 (most commonly used for SMTP relays), but no luck, the PAN never notices the existence of the TLS in the session so doesnt try to decrypt.
Am I missing something or is this not possible right now?
It'll be a real shame if it's not as it's a gaping hole for APTs/Malware to creep through. Of course the first thing I did in this instance was to advise the client that they block all .EXE's via their SPAM filter, but would have been nice to catch it at the Palo...
Thanks for reading!
Dave
