Help me to understand log file (with virus)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help me to understand log file (with virus)

L4 Transporter

Hello

Today I noticed that my friend was (or try) downloaded file that has a virus.

So I stared small investigation what was happend. I downloaded the same file from same location again.

The log from Thread Log looks like:

2014-05-23_175506.png

I was unable to download this file becasue I got a message that this file has a virus (browser was redirected) - thats OK.

Could someone explain me why in red frame we have two entries with forward, next deny and finally allow?

how should I understand this entries?


With regards

Slawek

1 accepted solution

Accepted Solutions

L7 Applicator

Hello SLV,

I have analyzed the screenshot here and please find below my findings:

2014-05-23_175506.png

> If you see the GREEN box, it's showing log type. First 3 are showing as "threat" and the 4th one showing as "traffic". First 3 log generated by the profiles configured on this FW ( including "antivirus" and "file blocking")

>For the first 2 entries, action is "forward". It means, you have a file blocking profile configured on this firewall and action set as "forward". ( Most probably, you  have WILDFIRE subscription on this firewall and sending the MD5/SHA256 hash value to the cloud). So, the first 2 log entries have been generated by file blocking profile.

> The 3rd log entries have been generated by your "antivirus" profile configured on this FW.  The signature of the file actually matched with an existing signature in ANTIVIRUS database and the PAN FW successfully blocked it . That's why "action" is showing as "deny".

> 4th log entries are generated from the "security policy". Even though the file has been identified as a VIRUS by "antivirus profile" and blocked it successfully, but the action of that "security policy" was "allow". That is the reason, Action is showing as "allow".  ( Byte count is including TCP 3-way handshake and HTTP GET request etc)

> I hope you have enabled logging "Log at Session End" into that security policy "Lan_A NAT-monitoring". That is why, time stamp is showing 17:51 ( inside the BLACK box) rather the file identified by profile at 17:49. Normally, security polcy will take few more minute to generate the logs.

I hope the above mentioned explanation will help you to understand the log file.

Thanks

View solution in original post

3 REPLIES 3

L7 Applicator

Hello SLV,

I have analyzed the screenshot here and please find below my findings:

2014-05-23_175506.png

> If you see the GREEN box, it's showing log type. First 3 are showing as "threat" and the 4th one showing as "traffic". First 3 log generated by the profiles configured on this FW ( including "antivirus" and "file blocking")

>For the first 2 entries, action is "forward". It means, you have a file blocking profile configured on this firewall and action set as "forward". ( Most probably, you  have WILDFIRE subscription on this firewall and sending the MD5/SHA256 hash value to the cloud). So, the first 2 log entries have been generated by file blocking profile.

> The 3rd log entries have been generated by your "antivirus" profile configured on this FW.  The signature of the file actually matched with an existing signature in ANTIVIRUS database and the PAN FW successfully blocked it . That's why "action" is showing as "deny".

> 4th log entries are generated from the "security policy". Even though the file has been identified as a VIRUS by "antivirus profile" and blocked it successfully, but the action of that "security policy" was "allow". That is the reason, Action is showing as "allow".  ( Byte count is including TCP 3-way handshake and HTTP GET request etc)

> I hope you have enabled logging "Log at Session End" into that security policy "Lan_A NAT-monitoring". That is why, time stamp is showing 17:51 ( inside the BLACK box) rather the file identified by profile at 17:49. Normally, security polcy will take few more minute to generate the logs.

I hope the above mentioned explanation will help you to understand the log file.

Thanks

L4 Transporter

Hello Hulk

Thank You so much for very detailed explanations!

Now I understand clearly what has happened. Indeed I have WildFire subscriptions, so You're guess correctly.

I'm learning from community and tech docs, so this is a reason why I asked for such simple problem. Do You know is PA have special offers (with big discounts) for e-learning traninings or exams?

Maybe someone could share vouchers for it?

With regards

Slawek

Hello Slawek,

I am not sure about the discountsSmiley Happy , but you can send an email to education@paloaltonetworks.com. They might give you the options, if available.

Thanks

  • 1 accepted solution
  • 3360 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!