- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-03-2017 01:55 PM
I am seeing too many java script web attacks which are caught by Symantec Endpoint Protection on my end users Workstations. Some of them are listed below.
Web Attack: Malicious Injected JavaScript 14
Web Attack: Fake Jquery Injection 2
Web Attack: Mass Injection Website 19
Web Attack: W32.Ramnit Attack 4
What worries me is why doesn't our Firewall prevent such attacks at the perimeter itself instead of allowing such malicious traffic into the network? Is there some configuration settings I need to do? or setup some special policies? I have a PA3020 firmware version 7.1.7. Any help would be greatly appreciated.
06-16-2017 09:13 PM
Just wanted to highlight a couple of new useful IPS signatures and a new File Type that was released last year to help customers with files that are used for malware/ransomware. Some of these are potentially malicious payloads as well.
1) Detection of .js files sent over email. Malware and Ransomware is often sent by these methods. Both of these are set to informational, so the customer should look at selectively enabling/blocking. 39002 looks for a plain .js file sent over email. 39003 looks for a .js inside of a .zip. This is currently PAN-OS 7.0 min version due to decoder changes only available in 7.0+ but we will look at bringing that to more PAN-OS versions. We are looking at .wsf files next.
2) There is also another signature, "HTML MIME Entities Masquerading As Word Documents” that is also good at detecting malware/ransomware campaigns that include MS Office documents stored as MIME files to bypass detection. MIME docs can have embedded malicious payloads or they can call out for payload. This signature simply looks at the file extension and the existence of HTML MIME objects. This kind of file may not be malicious, so the severity is set to informational.
3) New filetype for VBScript for file blocking that you should look to block.
I have customers who have already enabled the .js signatures in blocking mode.
Examples for .js files :
https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
https://isc.sans.edu/forums/diary/TeslaCrypt+ransomware+sent+using+malicious+spam/20507/
informational | 39002 | Javascript Sent in Email | alert | 5.0.0 |
informational | 39003 | Javascript Sent in Email | alert | 7.0.0 |
Content 557
Severity | ID | Attack Name | CVE ID | Vendor ID | Default Action | Minimum PAN-OS Version |
informational | 38508 | HTML MIME Entities Masquerading As Word Documents |
|
| alert | 5.0.0 |
New File Type (1)
Severity | ID | File Type | Minimum PAN-OS Version |
low | 52114 | VBScript Encoded File | 5.0.0 |
I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!