This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
How to block Crypto Miner (javascript)
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Threat & Vulnerability
- How to block Crypto Miner (javascript)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-31-2017 05:54 AM
This week I noticed a "CoinHive Javascript Detection" in the logs of our Palo Alto.
When reading on the subject I noticed that there are websites around that use Javascript to start mining Crypto coins on the users' computer.
Detailed description can be found here :
https://researchcenter.paloaltonetworks.com/2017/10/unit42-unauthorized-coin-mining-browser/
I noticed in the Palo Alto blog that : PANDB is able to block URLs hosting Coinhive JavaScript.
My question:
How does one actually block this?
When I visit for example https://coinhive.com/ and push the button "Start Mining" the CPU goes up to 100%.
11 REPLIES 11
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-07-2018 10:27 AM
Sinkhole is meant to discover infected hosts when the only thing the firewall sees is queries sourced from an internal DNS server. (Internal DNS server obscuring real source IP's of hosts querying for malicious domains). The idea is that infected hosts may carry out a subsequent connection after resolving a malicious domain, and these will initiate new traffic to the *sinkhole ip* - therefore you would use the traffic logs to see which hosts are attempting to initiate traffic to the *sinkhole ip* (and discover which hosts are infected).
If that's not your topology, then it's better to block.
By the way, you can also set an EDL of type Domain to action 'sinkhole' in the Anti-Spyware profile.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-07-2018 12:43 PM
It is my understanding that you cannot use a "Domain" type EDL in a security policy as there is no way to select it. Domain type EDL's only show up in anti-spyware DNS Signature settings. Upon double checking all the lists that are available on the link I provided earlier, I do see an IP list, which can be used in a security policy; so you can directly block that way in addition to sinkholing.
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks