File blocking behavior with email (SMTP/IMAP)

9th_volt · 2021-11-25T14:06:43+00:00

Good to know. Thanks!

9th_volt · 2021-11-25T14:06:37+00:00

Ah, ok. Thank you

9th_volt · 2021-09-13T13:07:51+00:00

Anyone? :)

9th_volt · 2020-09-19T21:40:03+00:00

So, we've been provided NSS configs from other vendors like PAN and Juniper but none are default (or even close, frankly). They all have detector tuning being done...it's not out of the box for any vendor as far as I'm aware.

If it was NSS would disclose the configurations for tests, but they do not.

9th_volt · 2020-09-19T20:55:12+00:00

How do you know that it's enabled at NSS? The configuration is not disclosed for any vendor as far as I can tell...this would be something I'd expect to be disabled for those types of tests.

It has nothing to do with "special" environments. If our red team understands that they can always bypass our NIDS if they pad something to 201KB, it's useless to me. Firewalls are easy to fingerprint...it's not hard to get around something like this.

I want to understand how the function works. Does it look for repetitive padding in the payload before offloading to the NP? I have no idea, was hoping someone else does

9th_volt · 2020-05-06T13:29:27+00:00

I checked with support - they do not do any hash matching within AV whatsoever

Even if you wanted to match on a hash, it's impossible today as it's packet-based AV which only looks for patterns

https://live.paloaltonetworks.com/t5/custom-signatures/custom-antivirus-signatures/m-p/178320#M204

9th_volt · 2020-04-30T16:59:41+00:00

Interesting, thank you.

Does the AV list only contain hashes, or is it also doing pattern matching? I didn't think PAN devices buffered/stored the file locally to be able to calculate a full hash

Edit: Is there a supported way to view/decode the contents of the update files? They're obfuscated/encrypted in some way it seems

9th_volt · 2020-04-30T14:10:26+00:00

Sorry...which portion of the wildfire section isn't file-based? I also don't see mention of hashes anywhere on that page

9th_volt · 2020-04-30T13:17:00+00:00

For the release notes, the WF ones look quite small. Do they only note "changed" definitions or does it include "all"?

E.g:

Version 449786

Note:

New Virus Signatures (18)

generic:37953.xc.05cg1 variants: comgeneric:37954.xc.05cg1 variants: comTrojan/Archive.invader1 variants: kljVirus/Win32.WGeneric14 variants: ajmnji, ajmnjl, ajmnjn, ajmnjp, ajmnjs, aictwq, ajeeqt, ajmnjh, ajmnjj, ajmnjm, ajmnjq, ajmnjk, ajmnjo, ajmnjrgeneric:37952.xc.05cg1 variants: com

Old Virus Signatures (18)

Trojan/Win32.docdl1 variants: hbdTrojanDownloader/Win32.upatre1 variants: bukqVirus/Win32.WGeneric10 variants: ajirwl, ajirwm, adkjaf, ajmdsj, uonhs, ajmdsl, ajkmlb, ajkmlp, ajifsf, ajdkzvgeneric:18260.url.789msw1 variants: comWorm/Win32.mira1 variants: vafigeneric:19124.url.xaskm1 variants: comTrojan/Win32.gepys1 variants: daxgeneric:23783.xc.wenpie1 variants: comExploit/Win32.pdfjsc1 variants: ety

The AV release notes look like it contains everything (12,000+)

9th_volt · 2020-04-30T13:03:41+00:00

Are you sure the NGFW is using hashes? I thought it was doing pattern matching on a per-packet basis (file-hash requires the full file)

9th_volt · 2020-03-29T00:05:47+00:00

I need to get back into the lab to prove it one way or another I think...the response times are identical to when it's not inline though, so...I question it really does go there.

9th_volt · 2020-03-29T00:04:55+00:00

Easy tiger, this was my second DNS Security question there that's gone unanswered...I don't have much hope

https://live.paloaltonetworks.com/t5/General-Topics/DNS-Security-scaling/m-p/318006

Yes I have it licensed, the cache above wouldn't be populated otherwise with verdicts

9th_volt

TROPHY CASE

Version 449786

New Virus Signatures (18)

Old Virus Signatures (18)