Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About mmoshiri
About mmoshiri
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
02-27-2017
7Posts
3Likes
1Solution
Feb 27, 2017Last Visited
User
Activity
User
Profile
Latest posts by mmoshiri
| Subject | Views | Posted |
|---|---|---|
| 1582 | 02-27-2017 10:39 AM | |
| 1948 | 01-26-2017 11:13 AM | |
| 1719 | 01-13-2017 08:29 AM | |
| 1412 | 01-13-2017 08:25 AM | |
| 4052 | 12-14-2016 12:28 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 01-13-2017 08:25 AM | |
| 2 | 01-13-2017 08:29 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 18 |
User Badges
Public Statistics
| Date Registered | 07-14-2016 10:24 AM |
| Date Last Visited | 02-27-2017 04:04 PM |
| Total Messages Posted | 7 |
| Total Likes Received | 3 |
02-27-2017
10:39 AM
Hi Ari, You are correct... this isn't the best forum to discuss the issue you're encountering. The best place to post this request (and report the issue) is in the Traps Beta forum. Also, when you repost your request there, please be sure to indicate if the dbkextd process you're referencing is actually malicious or not. From your ESM screenshot, it looks to me that WF has identified it as malicious. But your description makes it sound like it might not be ("... what updating Dropbox looks like... ").
... View more
01-26-2017
11:13 AM
I suspect whitelisting ccmexec.exe won't achieve the goal you have in mind. That will allow that particular application to run, but depending on your policies (execution restrictions), Traps may block the execution from Temp folders. Ultimately, you are looking to whitelist the corporate apps that will be running, not ccmexed.exe, right? Here are a few of suggestions: If these apps don't change often, whitelist their hashes by adding an Admin Override Policy (in the Hash Control table) for each application. That will allow them to run anywhere in the environment. If it is possible to control which folder these apps are executed in when they are downloaded, I would choose a specific folder (other than C:\Temp and other "standard" temp directories) and whitelist the folder as well (in Execution Restrictions). If these apps change often, run them on a Traps-protected machine (anywhere in your environment) before distributing them. That way, you can ensure that if they are blocked by Traps for whatever reason (and are presumably quarantined), your admins can restore the apps and thereby whitelisting them across the environment. Keep in mind that the Execution Restrictions are always checked, regardless of which other malware prevention methods are invoked. So be sure to verify these restrictions match what you're looking to set up.
... View more
01-13-2017
08:29 AM
2 Kudos
Hi Jonathan, There is definitely a way to do that. In the ESM Policies tab, select any of the default rules, then use the menu drop-down to select Show Default Rules. This will show you a list of all the default rules. Then you can click on each one of them to see their settings. What was your second question?
... View more
01-13-2017
08:25 AM
1 Kudo
Hi Tim, Traps can actually relay its logs via syslog protocol to any SIEM that can ingest the data. Look under the Settings tab of the ESM, then click on the Syslog item in the list. . The Panorama integration is something our teams are working on. I don't have much information on that to share at the moment...
... View more
12-14-2016
12:28 PM
Oh yes... you did say that. My mistake... so you're on the right track.
... View more
12-14-2016
12:01 PM
Hi Jimmy, Thanks for the question. Traps does not load exploit samples to WildFire (the way our NGFWs can/do). The exploit prevention capabilities of Traps (EPMs) are injected into each process as it starts (Word, in this case) and detect and block expoitation attempts on the spot. If Traps identified a Word doc as the source of an exploitation attempt, it is safe to assume that it is a weaponized file... or one that was manipulated in some way that triggered an EPM. The record of the exploitation prevention in the ESM backend will tell you what EPM was triggered. And it will give you some additional information about the event as well.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-27-2017
04:04 PM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
