Episode Transcript:
John:
Hello Everyone,
Welcome to another episode of PANCast. In episode 5 we discussed why logs are your best friend, the troubleshooting approach and the importance when it comes to debugging firewall issues. Today we look at threat logs and we have a guest, Faiz Azmi, who is part of the Threat Support team. Faiz will give us insights into threat logs. Welcome Faiz.
Faiz Azmi is a Staff Cybersecurity Specialist at Palo Alto Networks part of Global Customer Services Support team, Singapore. SME in supporting and assisting our customers in Threat and Wildfire related cases. He is passionate about learning and certified with CISSP, CISM, GCIH, GXPN and GREMFaiz:
Thank you for having me, John. Appreciate the introduction. Let's start off with our day to day task. Normally, we exchange information over the internet or internally amongst our peers. We download or upload files such as PE (Portable Executables), Microsoft Office, PDF documents and so on. At most, we attach files via email or have some experience with transfer protocols such as FTP or SMB.
Sometimes, malicious email can look legitimate which makes it difficult to differentiate and it increases the likelihood that someone will fall victim to a cyber attack.
Palo Alto Networks NGFWs can prevent vulnerable systems with its Anti-Spyware and Vulnerability Protection profile. Furthermore, Antivirus and Wildfire features have the capability to protect users from downloading malwares, viruses and trojans. With all the available features, it is important that the firewall logs all the necessary events.
John:
In this episode, we will be discussing Antivirus logs in particular. I have had some experience before when troubleshooting Strata cases, I've seen that there are 3 types of antivirus logs. Can you explain these please?
Faiz:
Yes, you are right, there are 3 types when navigating the threat logs. One being the “virus” type, second being the “wildfire-virus” and lastly is the “ml-virus". The “virus” type signature is the Antivirus Signatures that are available in the Content Updates package. Once it is downloaded and installed on the firewall, it will block any sample that matches the signature.
Our antivirus package is constantly updated. It will not only include the newly discovered malwares but also replace the old signatures. For example, malicious samples that have been quite some time since it was last uploaded to the Wildfire by our customers, would be rotated out from the content package. The reason being is because the Firewall Dataplane can only hold a limited number of signatures.
Basically, starting from PAN-OS 10.0 and with WildFire subscription, Firewalls can retrieve the latest WildFire signatures in real-time, as soon as they become available. Otherwise, signatures for newly discovered malware are generated and distributed every 5 minutes which Firewall can retrieve and install these signatures every minute.
If you do not have a WildFire license, signatures are made available within 24 to 48 hours as part of our Antivirus Content Updates as long as you have an active Threat Prevention license.
In the Release Notes, you will see the newly introduced signatures listed under the “New” category whereas the replaced signatures are listed under the “Old” category.
John:
That is useful; we can always refer back to the Release Notes for verification. Can you elaborate more on how users are protected when the signatures are no longer available. What does it mean when the signature is in “replaced” status?
Faiz:
That's a great question. Well, it can mean 2 things. One, it’s either that the signature has been disabled meaning that it is no longer valid. Either due to False Positives or the verdict has been flipped from malware to benign on the Wildfire side.
The second reason would be that it's currently marked or identified as malware by WildFire but no longer available in the Antivirus Content Updates that is currently installed on the firewall. You would see the logs showing as “wildfire-virus” type which indicates that the signatures are retrieved from the cloud.
Let me repeat, WildFire signatures allow our customers to retrieve the signatures as soon as they are generated, that is in real-time or as early as every 5 minutes depending on the PAN-OS version.
John:
When I see “ml-virus” in the threat logs, that is referring to “WildFire Inline ML”, right? How is this different from the previous 2 types we talked about earlier?
Faiz:
Yes, "ml-virus" refers to WildFire Inline ML. In a nutshell, it offers protection in real time. It detects malicious files dynamically and it evaluates through machine learning on the supported file type. Each inline ML model evaluates the file details, decoder fields and patterns of the file; eventually formulate a high probability classification of the file.
Under the WildFire Analysis profile, if you configure the file types analyzed by WildFire inline ML to be forwarded to cloud for inspection, the false-positives are automatically corrected as they are being received. It's important that any False Positives can be learned by ML, eventually corrected and reduced over time.
If you continue to see "ml-virus" alerts for files that have been classified as benign by WildFire , do contact Palo Alto Networks Support.
John:
Given a scenario whereby I see a lot of threat logs and based on your explanation, I have now identified it is somewhat related to AV signatures, but what should I do next?
Faiz:
I am glad you brought it up. Our Antivirus signature is based on a byte pattern (or strings) that is generated from the malicious sample analyzed by WildFire. ThreatVault would be the best place to start as the information related to the signature available to the public. You may search for the Unique Threat ID, you should see the SHA256 hash of the associated malware sample. With that information, you can compare the hash listed on ThreatVault with the AV log you are observing from the firewall.
Now with that information, you can verify if the file you are downloading/transmitting is listed in the ThreatVault as one of the hashes.
If YES, review the Threat log and verify the corresponding traffic. Verify the user-id, source and destination IP address, check the protocol to have better understanding if this is an expected traffic or not. This should determine the next plan of action.
John:
Ok, let's say that once I have checked the ThreatVault, the hash matches and after further investigation on the threat log, it’ s determined that someone in the organization accidentally
Faiz:
Yes, This is a True Positive, the threat logs would indicate that such a sample is being blocked. Now that you have identified that it wasn't intentional, perhaps further awareness training would help to avoid this from happening again in the future.
John:
How about if it's a False positive, when it's unexpected and the file is considered to be trusted and should be allowed?
Faiz:
OK, if the file has a malware verdict by Wildfire and you need to allow it urgently, you can set an exception on the Antivirus profile to allow the trusted file.
At the same time, you may request for the file to be re-evaluated, you submit the verdict change request via WildFire. Either you do it from the WebUI or directly on the WildFire portal. On the Firewall WebUI, there should be a “Report Incorrect Verdict” button where you can submit under the WildFire submission log.
Alternatively, you may log into the WildFire Portal and submit a Verdict Change Request for the specific sample. These can be done without opening a Support Ticket.
John:
OK, these are True Positives and False Positive scenarios. How about when the hashes listed in the ThreatVault are not matching the file I am transmitting, what does that exactly mean?
Faiz:
This is a classic case of a Signature Collision where the Signature Bytes Pattern generated for the benign file you are transmitting matches with an actual malware associated with the signature.
Now, you may need to assess the risk and validate further:
If you need to allow the file urgently, you may set an exception on the Antivirus profile. This will allow you to download the file specifically in your environment.
If it’s affecting a lot of users, you may open a Support Ticket with Palo Alto Networks to request for the signature to be re-evaluated and potentially disabled. Do take note, it will take at least 24 to 48 hours for the new Dynamic Content Updates to be available with the replaced signature. If it is important to you, setting an exception is always recommended.
John:
Great information, thank you Faiz. So to wrap up, what are the key takeaways?
Faiz:
Let's break it down to 3 key takeaways. Identify, Investigate and Intervene.
John:
Thanks again Faiz, that was a very informative session. PANCasters, as always for more information related to PANCast, the written transcript and referenced links head to live.paloaltonetworks.com.
Make sure to subscribe and stay tuned as we will have Faiz back in the near future to discuss other types of threat logs.
Bye for now.
Check out the full PANCast YouTube playlist: PANCast: Insights for Your Cybersecurity Journey.
Related Content:
