This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About tettema
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About tettema
05-19-2023
41Posts
13Likes
10Solutions
May 19, 2023Last Visited
User
Activity
User
Profile
Latest posts by tettema
| Subject | Views | Posted |
|---|---|---|
| 5721 | 10-15-2019 11:39 AM | |
| 7378 | 05-02-2013 08:55 PM | |
| 8458 | 03-13-2013 03:39 PM | |
| 7927 | 01-28-2013 11:14 AM | |
| 3919 | 12-13-2012 02:27 PM | |
| 2364 | 10-29-2012 05:31 PM | |
| 4184 | 08-30-2012 11:38 AM | |
| 2665 | 08-20-2012 10:40 AM | |
| 6822 | 08-14-2012 01:11 PM | |
| 7150 | 06-08-2012 10:00 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-16-2011 03:26 PM | |
| 1 Like | 02-14-2012 07:33 PM | |
| 1 Like | 02-15-2012 03:41 PM | |
| 1 Like | 01-28-2013 11:14 AM | |
| 4 Likes | 03-13-2013 03:39 PM |
My LIVEcommunity Articles Contributions
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 3 Likes |
User Badges
Community Statistics
| Member Since | 09-07-2011 09:53 AM |
| Date Last Visited | 05-19-2023 08:57 PM |
| Posts | 41 |
| Total Likes Received | 13 |
10-15-2019
11:39 AM
3 Kudos
Palo Alto Networks has published two new Security Advisories that impact the GlobalProtect agent for Windows, Linux, and Mac OSX.
Please see https://securityadvisories.paloaltonetworks.com for details about the following two new security advisories:
Local Privilege Escalation in GlobalProtect Agent for Windows (PAN-SA-2019-0036)
Local Privilege Escalation in GlobalProtect Agent for Linux and Mac OS (PAN-SA-2019-0037)
... View more
Labels:
05-02-2013
08:55 PM
Hi wissa, There is a bug fix to address accessing WildFire logs via the API that is planned for the upcoming maintenance release 5.0.5, due soon. The hash is not available within the WildFire logs on the device, but can be accessed via the WildFire API. In order to retrieve file hash (along with other WildFire forensics details), you can use the WildFire logs on the device and turn into WildFire API queries. We recently added a new WildFire API method used to query based on device id (S/N) and report ID in the WildFire reports (labeled as threat ID or "tid"). A demonstration of the API query as a CURL command is provided below: curl -i -k -F device_id=[SERIAL NUMBER] -F report_id=[TID FROM LOG] -F format=xml https://wildfire.paloaltonetworks.com/publicapi/report WildFire logs can be exported to provide this information using log export or log forwarding. The full API manual (not including the above new method) is available at: https://wildfire.paloaltonetworks.com/Wildfire/Home/APIProgrammingGuide . Documentation will be updated soon to include this new API method.
... View more
03-13-2013
03:39 PM
4 Kudos
Hi Johan, Looks like you've had some fun taking a look at WildFire's detection logic. I wanted to take the opportunity to address some of your findings just to clarify some of the items presented: 1. Your first three tests use custom binaries that open reverse shells as the "malicious behavior". Opening a reverse shell that never connects to bind to a shell is not something that can really be used to detect malware. If you start a reverse shell without successfully binding, all it really looks like is an attempted TCP connection. Since all we see in the sandbox is a failed TCP connection, there is nothing useful here to call the sample malware. Furthermore, the IP address chosen by your application is in private address space. Calling programs malware when all they do is open a TCP socket on private address space would quickly lead to problems. 2. If your sample were to perform a reverse shell to an external IP and actually bind to a server listening for the shell, the Palo Alto Networks IPS would have caught that reverse shell and triggered a critical reverse shell alert. If you are blocking on IPS signatures, this shell would have also been blocked, preventing the interactive session from taking place. 3. In the final test, you take malware (which was confirmed as malware by WildFire), run it through pescrambler, and run it through WildFire again to see if we can detect it as malware. The test comes back benign, and you'll notice that one of the behaviors observed is that the sample crashed when loaded. This is because pescrambler corrupted the EXE making it unloadable. In fact if you run it in your own environment, it crashes immediately. The pescrambler tool looks like it hasn't been updated in some time, and in fact has an open issue (https://code.google.com/p/pescrambler/issues/detail?id=1) describing the fact that it corrupts EXEs. Given that the sample doesn't successfully run, I wouldn't call this a false negative. In fact, any static file obfuscator like pescrambler is more useful in evading AV signatures, and not in evading dynamic sandbox-based analysis tools like WildFire. Scrambling a PE file causes the file image to change, but once it's running, WildFire doesn't care whether the file was scrambled or not. WildFire is looking at the runtime behaviors of the sample as it runs in the sandbox, regardless of how the PE file was obfuscated. Having said all that, WildFire will never catch 100% but it is a valuable addition to our threat prevention technology stack in catching malware that evades the other layers of defense. If you have any other findings you would like to bring to our attention, please let us know or you can also reach out to me directly. Thanks, Taylor Ettema Product Manager, Threat Prevention
... View more
01-28-2013
11:14 AM
1 Kudo
Hi all, We have identified an issue with this signature and will be correcting the issue in the next content update on Feb 5th.
... View more
12-13-2012
02:27 PM
Hello, I would suggest you look for /jwplayer/player.swf in the http-req-uri and a length of greater than 0 for the http-req-param-length.
... View more
10-29-2012
05:31 PM
Hi David, I would suggest the following: Signature 1: Match "/ajax_modal/modal/data.asp" in http-req-uri-path, and "&state=" in http-req-params Signature 2: Match "User-Agent\x3A\x you \x0D 0A\x" in http-req-headers.
... View more
08-30-2012
11:38 AM
1 Kudo
The signature matching engine requires that each pattern have a 7-byte (consecutive) static string somewhere in the pattern.
... View more
08-20-2012
10:40 AM
1 Kudo
Three signatures are releasing in today's AV release (818) to cover them. Trojan/Win32.mdrop.asq, Trojan/Win32.erasembr.a and Trojan/Win32.erasembr.c
... View more
08-14-2012
01:11 PM
Hi Manfred, I'd like to understand the test setup a little more. Anything the firewall blocks should be blocked consistently. If you are using a browser, it is possible that the browser is caching data and reserving it to you. Are you using a block action or a continue action in your AV profile? Which ones specifically are you seeing this behavior with, and can you describe the sequence of actions in detail?
... View more
06-08-2012
10:00 AM
3 Kudos
Hi Geert, As of PAN-OS 4.0.0, we use OpenSLL 0.9.8p, which is not affected by this vulnerability. The Qualys scan cannot confirm the vulnerability exists, so it states it just to be thorough.
... View more
04-27-2012
01:46 PM
Please see our recently published tech note on this topic at https://live.paloaltonetworks.com/docs/DOC-2880
... View more
04-12-2012
11:52 AM
We have coverage on two fronts for this malware. First, we have coverage for the 2 CVEs this has been known to use (CVE-2011-3544 and more recently CVE-2012-0507). Coverage for these exploits have been included in content 300 and updated in 302. These have also been patched by Apple Software Update for clients that are up-to-date. Second, we will be releasing a command-and-control signature (13157) for the Flashback C&C network traffic in this Tuesday's content update, to detect already infected hosts on the network.
... View more
03-23-2012
11:09 AM
Hi Kalyan, Please open a support ticket so we can look into this and get it resolved for you.
... View more
03-19-2012
10:22 AM
Hi Tomohiro, This signature is looking for use of double- and triple-encoded data within PDFs. This is a commen evasion technique that malicious PDFs use to hide their malicious payload. However, legimate PDFs can sometimes use double- (and perhaps triple-) encoded data as well, and so this signature is rated as "informational". In fact, some PDF reports generated by the Palo Alto Networks firewalls can trigger this informational signature. This signature, just like any other informational signature, is not the highest priority and should not necessarily trigger immediate alarm, however keeping an eye on instances of this alert for PDFs from untrusted sources is a good idea.
... View more
02-29-2012
05:21 PM
Thanks for your feedback on WildFire, we're glad it's useful. Regarding your sample, we looked into it and determined that it was mistakenly labeled as malware because it was analyzed before we added Dell to our list of trusted authors. The sample you submitted did many suspicious looking things, which can be perfectly legitimate for the type of application that it was. The issue was corrected, and future submissions from Dell should not run into this issue. To answer your other questions, yes, the file is delivered to the host without any interruption the first time it is seen. It is analyzed by WildFire, and a forensics report along with a verdict is made available in the WildFire web portal. You can use the data in the report to identify the affected host, check host-based AV coverage status, verify infection, and perform remediation, if needed. If WildFire determines the sample to be malware, an AV signature is automatically generated and included in the next daily AV update, so future instances can be blocked at the firewall.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks