ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
I am seeing too many java script web attacks which are caught by Symantec Endpoint Protection on my end users Workstations. Some of them are listed below.
Web Attack: Fake Jquery Injection 2
Web Attack: Mass Injection Website 19
Web Attack: W32.Ramnit Attack 4
What worries me is why doesn't our Firewall prevent such attacks at the perimeter itself instead of allowing such malicious traffic into the network? Is there some configuration settings I need to do? or setup some special policies? I have a PA3020 firmware version 7.1.7. Any help would be greatly appreciated.
Just wanted to highlight a couple of new useful IPS signatures and a new File Type that was released last year to help customers with files that are used for malware/ransomware. Some of these are potentially malicious payloads as well.
1) Detection of .js files sent over email. Malware and Ransomware is often sent by these methods. Both of these are set to informational, so the customer should look at selectively enabling/blocking. 39002 looks for a plain .js file sent over email. 39003 looks for a .js inside of a .zip. This is currently PAN-OS 7.0 min version due to decoder changes only available in 7.0+ but we will look at bringing that to more PAN-OS versions. We are looking at .wsf files next.
2) There is also another signature, "HTML MIME Entities Masquerading As Word Documents” that is also good at detecting malware/ransomware campaigns that include MS Office documents stored as MIME files to bypass detection. MIME docs can have embedded malicious payloads or they can call out for payload. This signature simply looks at the file extension and the existence of HTML MIME objects. This kind of file may not be malicious, so the severity is set to informational.
3) New filetype for VBScript for file blocking that you should look to block.
I have customers who have already enabled the .js signatures in blocking mode.
Examples for .js files :
Minimum PAN-OS Version
HTML MIME Entities Masquerading As Word Documents
New File Type (1)
Minimum PAN-OS Version
VBScript Encoded File
I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!