Hi Guys, I am using a pair of PA820 with TP, URL Scan and WF. I received a list of hash values from my Authority but couldn't find any hits on VirusTotal. Without doubting my big boss, I wanted to manually block it in the firewall but could not find a means to do so, any kind soul can give me a pointer? Sample of the file as below
|MD5: 13d28c1f903b9f5f7bbe046a03a860fa SHA1: db38b8cf2c14d0d14aa4b6c932e0b15d2652e59d SHA256: cd623eccc7132092d11ba900f67eb58d27bc9f5926535c9a31399183501c34bc CRC32: CDBAEF9E||247786 bytes||PE32 executable (GUI) Intel 80386, for MS Windows||File Creation: C:\Users\XXX\AppData\Local\Temp\13d28c1f903b9f5f7bbe046a03a860fa.exe|
|MD5: 2453408cbe8491b6da970cfcd94f7877 SHA1: 5111ddd387a818acf677150492eaf090db7eceaf SHA256: 77570d9693f2d65cffda4a51c3c23cea36d2bd26a5bf4a6a096187929438aa03 CRC32: 803D8C3B||247792 bytes||PE32 executable (GUI) Intel 80386, for MS Windows||File Creation: C:\Users\XXX\AppData\Local\Temp\2453408cbe8491b6da970cfcd94f7877.exe|
|MD5: 28c0158b8c7665ecd527a1a030afc9e9 SHA1: aa6a1d1f20b009e736e0a36c84705910bf50179b SHA256: b03cd2187b78a6bb1dab959ee722f14a3b8d8cf76310254e6c53172c9f13b1bc CRC32: 6E3AE953||247796 bytes||PE32 executable (GUI) Intel 80386, for MS Windows||File Creation: C:\Users\XXX\AppData\Local\Temp\28c0158b8c7665ecd527a1a030afc9e9.exe|
|MD5: 6572dfa5be53f521755b582c640a9672 SHA1: 312762f66d33c456fadfee3db4ada20e10a5657f SHA256: 9147a0c723d979617317108cdbc0607e29257f44341c26d2bc965c5659c05e0c CRC32: 92F07717||247786 bytes||PE32 executable (GUI) Intel 80386, for MS Windows||File Creation: C:\Users\XXX\AppData\Local\Temp\6572dfa5be53f521755b582c640a9672.exe|
|MD5: 1b685f21aef4cba5baafcba133c60690 SHA1: 2c71b397401d6ffb31daa38f6cb2e205f9092485 SHA256: 12575744b876da9d88e9c36ed2fd9401a33037e4f77b4b49d3da4840a172c828 CRC32: 8CA00918||65643 bytes||PE32 executable (GUI) Intel 80386, for MS Windows||File Creation: C:\Users\XXX\AppData\Local\Temp\1b685f21aef4cba5baafcba133c60690.exe|
It is not possible to block files based on hash. You will need to get the original file, upload it to Wildfire cloud, if it is classified as malicious, a signature will be created to block it. I recently had the same request (block files based on hash value).
By the time the firewall can compute the hash, the file already made its way through.
You need the full file for hash computation. You would need the firewall to hold on to the file to hash it before delivery, and that would break downloads. The firewall is an in-line device, and not a proxy, so it is not currently possible. The hashing *can* be performed as an after the fact best-effort action, and it is what the firewall actually does to check verdicts and forward samples with/to WildFire.
An alternative is to manually extract a long enough hex stream of the file, and define custom signatures to detect them. That way you'd be able to use a Custom Vulnerability Protection signature to block specific files.
You would have to define a custom signature per protocol (one for http, one for ftp, etc).
Please review https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0 for additional information.
Yes, you can enable extended logging in WildFire
> debug wildfire upload-log log extended-log yes
The computed SHA256 hash of files inspected by the WildFire Analysis Profile for wildfire forwarding will be written in the wildfire-upload.log log-file in the MP. To visualize it use command:
> less mp-log wildfire-upload.log
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!