About bvandivier

bvandivier · ‎10-26-2018

In the interest of full discosure and as an employee of Palo Alto Networks I cannot endorse any specific third party product(s). I do have experience using multiple open source and proprietary tools but will defer to others to comment on which specific tools they recommend or prefer.

bvandivier · ‎10-18-2018

iPerf, Ostinato, Hping, and many others are available as open source traffic generators.

bvandivier · ‎09-24-2018

This is expected behavior and by design. Informational - the threat (file) was blocked by a Wildfire-virus signature and therefore the firewall alerts the admin at an informational level because the threat was mitigated. High - the threat (file) was passed by the firewall and not blocked by a Wildfire-virus or Antivirus signature. This could be due to the configuration or due to the fact that a virus signature to detect and block the file does not exist. You can derive additional context by also reviewing the corresponding Threat logs relevant to the two Wildfire log entries in your screenshot.

bvandivier · ‎09-14-2018

Hello Jim, I believe the following documentation should address your concerns. https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/external-dynamic-list.html https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/use-an-external-dynamic-list-in-policy Note that EDLs support three types: IP Address, URL, and Domain I believe in your situation you would want to use a URL type EDL in a security policy rule. Otherwise, a second option would be to create an address object group which contains multiple FQDN address objects.

bvandivier · ‎08-31-2018

Hello Steve, I'm sorry to hear about the issues you've been having. Please open a case with our support team. We can then report these issues to our URL Filtering Team internally and work with them to address your concerns.

bvandivier · ‎08-28-2018

Ash83, we have the following Antivirus decoders (see picture below). If a security policy rule is not permitting http, smtp, imap, pop3, ftp, or smb traffic then there is no value in inspecting traffic using an Antivirus decoder. You've pretty much answered your own question. There is no harm in applying an AV Security Profile to a security policy rule that is not processing http, smtp, imap, pop3, ftp, or smb traffic as the decoder will never engage to inspect traffic if the traffic does not match one of these applications.

bvandivier · ‎06-27-2018

Hello, t his forum exists as a place to submit verdict review requests for False Positive verdicts for Palo Alto Networks (Known Signatures) seen on VirusTotal. I recommend posting your question within the General forum (Live > Discussions > General Topics) which can be accessed via the following link. https://live.paloaltonetworks.com/t5/General-Topics/bd-p/members_discuss

bvandivier · ‎02-25-2018

Please note that a minimum of 24 hours was specified. "Please allow at least 24 hours for our analysts to review this file and confirm if a verdict change is appropriate." Your sample is in queue and will be processed in the order that it was received. We do not guarantee an SLA for verdict change requests which are submitted outside of a support case. We do appreciate your patience and our analysts will process the sample you have submitted as soon as possible. Thank you for understanding.

bvandivier · ‎02-20-2018

We have not blacklisted cts.vresp.com. URL cts.vresp.com Category Business and Economy Description Marketing, management, economics, and sites relating to entrepreneurship or running a business. Example Sites www.bothsidesofthetable.com/ , www.ogilvy.com , www.geisheker.com/ , www.imageworksstudio.com/ , www.linearcreative.com/ Additional comments Includes advertising and marketing firms. Should not include corporate websites as they should be categorized with their technology. Also shipping sites, such as fedex.com and ups.com. I suggest opening a support case with our TAC for deeper analysis of your issue. Kind regards.

bvandivier · ‎02-20-2018

Wildfire can perform e-mail link following for analysis purposes if the firewall is configured to detect e-mail links within SMTP sessions. If there was an e-mail campaign and Wildfire picked up the links within these e-mails for analysis it may have followed those links (clicked them) thereby resulting in unsubscription. Without additional data I am only speculating at this point.

bvandivier · ‎02-20-2018

You can test URL categorization at the following site/link: https://urlfiltering.paloaltonetworks.com/

bvandivier · ‎02-16-2018

This is possible if your firewall is performing Wildfire inspection of email links. https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/How-does-WildFire-handle-links-within-emails/ta-p/72628 If the Wildfire Cloud receives e-mail links for analysis it will reach out and attempt to analyze the link and the content presented by cicking that link.

bvandivier · ‎02-15-2018

Note that the Threat Vault entries are not current meaning the associated Threat IDs have been retired. Name: Virus/Win32.WGeneric.pgmrm Unique Threat ID: 193628526 Create Time: 2018-01-14 03:34:36 (UTC) Threat ID: n/a <======= Current Release: n/a <======= First Release: 2493 (2018-01-15 UTC) Name: Virus/Win32.WGeneric.pgmrm Unique Threat ID: 193628526 Create Time: 2018-01-14 03:34:36 (UTC) Threat ID: n/a <======= Current Release: n/a <======= First Release: 209295 (2018-01-14 UTC)

bvandivier · ‎02-15-2018

Both samples were update to "benign" as of 9:43 CST this morning. Please allow some time for this change to be reflected on virustotal.com.

bvandivier · ‎02-15-2018

Understood, in which case Zone Protection and/or DoS Protection would be the appropriate features to leverage.

bvandivier · ‎02-14-2018

Some Threat IDs such as Brute Force related signatures do block based on time attributes. Multiple examples are listed in the following article. https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/Brute-Force-Signature-and-Related-Trigger-Conditions/ta-p/52284 Also, the Reconnaisance Protection section of a Zone Protection profile can enforce blocking based on scan activity as can DoS Protection as well. More info can be found here. https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?attachment-id=1085

bvandivier · ‎02-14-2018

Both files have been queued for review. Please allow us 24 to 48 hours to process these samples.

bvandivier · ‎02-09-2018

Assuming you will be doing this locally on your firewall (not Panorama) the steps are somewhat straightforward. There are several community articles and videos on the subject. Of course, you will also need to enable logging on the relevant security policy rules as well before you will have any log data to run reports against. https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Custom-Reports/ta-p/69951 https://live.paloaltonetworks.com/t5/Management-Articles/Create-a-Custom-Report/ta-p/55143 https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-and-Schedule-a-Custom-Report/ta-p/57442 You'll want to build something similar to the example report below but you will need to play with it until you're capturing exactly what you'd like. Please be sure to include a query to match on the relevant security policy rules. Here are the set commands from my example report: set shared reports IPBL-Report type traffic sortby repeatcnt set shared reports IPBL-Report type traffic group-by day-of-receive_time set shared reports IPBL-Report type traffic aggregate-by [ rule from src sport srcloc to dst dport dstloc action ] set shared reports IPBL-Report type traffic values repeatcnt set shared reports IPBL-Report period last-24-hrs set shared reports IPBL-Report topn 100 set shared reports IPBL-Report topm 50 set shared reports IPBL-Report caption IPBL-Report set shared reports IPBL-Report query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')" set shared reports IPBL-Report description "PAN Dynamic IP Lists" And the XML: reports { IPBL-Report { type { traffic { sortby repeatcnt; group-by day-of-receive_time; aggregate-by [ rule from src sport srcloc to dst dport dstloc action]; values repeatcnt; } } period last-24-hrs; topn 100; topm 50; caption IPBL-Report; query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')"; description "PAN Dynamic IP Lists"; } }

bvandivier · ‎02-07-2018

Our recommendations are detailed in the PAN-OS 8.0 new feature guide. https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content-inspection-features/palo-alto-networks-malicious-ip-address-feeds#id254cbc8e-9c61-42f6-a0f1-91bd2c8f74f9

bvandivier · ‎02-07-2018

Hello Anthony, simply applying a Threat Prevention license will not enable Threat features globally or otherwise. It is still necessary to configure these features on a per zone or per policy basis. Our best practices documentation can walk you through this proces. https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Threat-Prevention-Deployment-Tech-Note/ta-p/53157

bvandivier · ‎02-07-2018

There is no record of our product flagging this file as malicious on virustotal.com. No AV signatures exist for this file and Wildfire analysis categorizes this file as benign. If you are having issues downloading this file through a Palo Alto Networks firewall please open a support case. The VirusTotal forum is solely intended for non-customers to report false positive or verdict related issues based on samples reflected within virustotal.com. Thank you.

bvandivier · ‎02-07-2018

This latest sample has been submitted for analysis and possible verdict change. Given that this PC cleaning software is classified as a PUP it is likely the verdict will be changed to grayware. Also, given that this particular forum thread has already been marked as "solved", please start a new thread when reporting future false positives or verdict change requests. Thank you.

bvandivier · ‎02-06-2018

Hello, this sample was flipped to benign on 2018-02-06 at 16:07. Threat ID Win32.WGeneric.pmlqw has also been disabled. Thank you for your patience.

bvandivier · ‎02-06-2018

While we do not disclose the specific logic our IPS signatures utilize due to the fact that this is considered proprietary information, I can say that our IPS signatures are used to detect instances wherein someone has weaponized a Meltdown or Spectre attack using malicious javascript or something similar.

bvandivier · ‎02-05-2018

Hello, please see answers in line. 1) The DNS list comes out daily and the IP lists come out daily - is there any overlap or is this IP list specifically only the things out there that do not have a DNS or Domain Name. A: There should not be overlap between DNS signatures and IP lists. DNS signatures are part of the daily Antivirus content releases. You can review a list of new Spyware DNS C2 signatures by reviewing the release notes either from your firewall via Device > Dynamic Updates > Antirivus > release notes or via our Threat Vault @ https://threatvault.paloaltonetworks.com. You may also access release notes from the Dynamic Updates section of https://support.paloaltonetworks.com. 2) What are the High Risk IP Address List ? I see the note on the description is that just a IP addresses from other lists that are not in your Malicious list. I am trying to decide if it should be blocked. We will assume the Known Malicious IP Addresses are bad and block those. A: https://live.paloaltonetworks.com/t5/Featured-Articles/PAN-OS-8-0-IP-Block-List-Feeds/ta-p/129616 Palo Alto Networks - High-risk IP addresses: This list includes IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations; however Palo Alto Networks does not have direct evidence of maliciousness. Is there a good detailed list of links I can look at for DNS ( AV and Wildfire) as well as the IP lists? A: I recommend using content (AV and Wildfire) release notes as well as our Threat Vault as previously mentioned. The IP lists can be viewed from your device using the commands previously discussed in this thread.

bvandivier · ‎02-05-2018

Hello, we have submitted this file for manual analysis and potential verdict change to benign. Please allow us 24 to 48 hours to process this sample. Thank you.

bvandivier · ‎02-02-2018

The MD5s are different and both come up clean. The second SHA256 hash you have referenced in both of your posts are the same.

bvandivier · ‎02-02-2018

We have submitted this file for analysis and a possible verdict change. Please allow our analysts 24 to 48 hours to process this request. Also, both files posted in your threads ( ContentExplorer Applet & Desktop ContentExplorer Web Start application) appear to have the same hash. Please provide clarification if necessary.

bvandivier · ‎02-02-2018

We have submitted this file for analysis and a possible verdict change. Please allow our analysts 24 to 48 hours to process this request. Also, both files posted in your threads ( ContentExplorer Applet & Desktop ContentExplorer Web Start application) appear to have the same hash. Please provide clarification if necessary.

bvandivier · ‎02-02-2018

Q: I can get a list of the IPs on the dynamic list by running these two commands from the cli: request system external-list show type predefined-ip name panw-highrisk-ip-list request system external-list show type predefined-ip name panw-known-ip-list A: Yes, you can. You can also click on each list within the WebUI from Objects > External Dynamic Lists > List Entries and Exceptions to view list entries. Q: is there a way to get a list of the URLs/IPS being blocked by the other PA policies? A: If by "other PA policies" you are referring to URLs/IPs blocked by other features such as AV DNS signatures, etc there is no single aggregated list. Your best resource would be the Threat Vault @ https://threatvault.paloaltonetworks.com/

Date Registered	‎10-11-2010 11:21 AM
Date Last Visited	‎09-24-2019 09:27 PM
Total Messages Posted	261
Total Likes Received	38

Online Status	Offline
Date Last Visited	‎09-24-2019 09:27 PM

Strata

Prisma

Cortex

About bvandivier