Dr Web Antivirus
Ovidio Neufville
Hi all, i'm currently testing some features of our PA-500, i've activated the antivirus policies and going on eicar i can see it blocks the download of the file, when i try to download from https the download proceed. How i can check and block antivirus threat over https session?
1) Create a new CA (as a test this can be done with openssl) - set expiration for 10 years or so (if you set for example 1 year you would need to redo this work once a year so its up to any ceritifcation policies at your workplace which expiration times are allowed).
The last part is only to make this transparent for the clients - otherwise they will get an warning in their webbrowser that the cert used by the site the client is visiting isnt "trusted". Of course the client could just allow it anyway or for that matter install the cert to avoid get a warning next time - but PA will on the fly generate a new "MITM" cert next time the client visits the particular url.
A good way to test if your SSL-termination is setup correctly is to visit and download the eicar testfile from (both http and https options are available along with .exe and .txt): -0-Download.html (for more information: -0-Intended-use.html).
That is because the PA will on the fly generate a new "faked" (MITM - Man In The Middle) cert using this CA cert before sending the traffic to the client (who if point 4 above is done will not notice that its being inspected (unless the client manually inspect the cert received and will notice that the issuer is changed and that the fingerprint (compared to the original cert) doesnt match (if the visited site have published their fingerprints online or if the client some other way knows what the correct fingerprint is)).
Hi i have generated the certificate directly from Paloalto, the problem was that the name of certificate. We have ricreate the certificate with name the ip address of appliance and now it seem's to be working better. Now using the eicar download test, trying to download a file in http i see a blocked response web page, and in https it remain in working and remain in cycling. It doesn't display the response page but don't proceed to download of the file. Have you seen the same behavior ?
Visit the url in question and verify that your MITM-cert was being used (check the "issued by" stuff when you click on the cert on clientside - it should read the name you gave the cert (issuer) instead of Verisign or whatever the EICAR-site uses).
I have sometimes noticed that occationally the PA unit will let bad code pass, dunno why as I have not yet setup a testcase for this or even did a tcpdump so see what actually happens - the result was anyway that I got open the EICAR.txt over https instead of getting the blocked virus page.
One theory is that the PA unit will send the TCP-RST (or whatever) just after the first packet passes as with EICAR the EICAR teststring will fit in a single packet. Then based on which browser is being used the browser will try to display whatever it got instead of displaying the block (well antivirus) page generated by the PA.
For the app, i ve no problem in http or https, example facebook, facebook app or other, but for antivirus features when i try to download the eicar test file in http i see the block page, and in https i see the timeout as you. No news.
I have exactly the same problem. I have configured two ssl forwarding certs (a trusted and a unstrusted cert) and imported both certs into my browsers "Trusted Root Cert. Authorities". Configured the ssl decryption policy and tested a few ssl sites with valid and invalid (self signed) certs. All worked as expected except the Eicar tesfiles with ssl. I can see the block in the Threat log, but no response page being displayed in the browser, just sitting there until it times out.
Differently from Cisco support Forum, it seem's frequented more from customer who helps each other, and less from Palo Alto Networks tech support. So maybe must be opened a case and after that report on this discusion the solution of the case.
Ok, that's interesting, I have to try this one tomorrow. Although I doubt this should be like that by design. I remember when I played with the ssl decrypt feature a while ago with a 3.x release when I didn't have to specify any ports in the security policy to get the response pages for ssl working.
Antivirus software was originally developed to detect and remove computer viruses, hence the name. However, with the proliferation of other malware, antivirus software started to protect against other computer threats. Some products also include protection from malicious URLs, spam, and phishing.[1]
Although the roots of the computer virus date back as early as 1949, when the Hungarian scientist John von Neumann published the "Theory of self-reproducing automata",[2] the first known computer virus appeared in 1971 and was dubbed the "Creeper virus".[3] This computer virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe computers running the TENEX operating system.[4][5]
In 1983, the term "computer virus" was coined by Fred Cohen in one of the first ever published academic papers on computer viruses.[11] Cohen used the term "computer virus" to describe programs that: "affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself."[12] (note that a more recent definition of computer virus has been given by the Hungarian security researcher Pter Szőr: "a code that recursively replicates a possibly evolved copy of itself").[13][14]
The first IBM PC compatible "in the wild" computer virus, and one of the first real widespread infections, was "Brain" in 1986. From then, the number of viruses has grown exponentially.[15][16] Most of the computer viruses written in the early and mid-1980s were limited to self-reproduction and had no specific damage routine built into the code. That changed when more and more programmers became acquainted with computer virus programming and created viruses that manipulated or even destroyed data on infected computers.[17]
Before internet connectivity was widespread, computer viruses were typically spread by infected floppy disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers essentially had to check executable files and the boot sectors of floppy disks and hard disks. However, as internet usage became common, viruses began to spread online.[18]
There are competing claims for the innovator of the first antivirus product. Possibly, the first publicly documented removal of an "in the wild" computer virus (i.e. the "Vienna virus") was performed by Bernd Fix in 1987.[19][20]
In 1987, Andreas Lning and Kai Figge, who founded G Data Software in 1985, released their first antivirus product for the Atari ST platform.[21] In 1987, the Ultimate Virus Killer (UVK) was also released.[22] This was the de facto industry standard virus killer for the Atari ST and Atari Falcon, the last version of which (version 9.0) was released in April 2004.[citation needed] In 1987, in the United States, John McAfee founded the McAfee company (was part of Intel Security[23]) and, at the end of that year, he released the first version of VirusScan.[24] Also in 1987 (in Czechoslovakia), Peter Paško, Rudolf Hrub, and Miroslav Trnka created the first version of NOD antivirus.[25][26]
Finally, at the end of 1987, the first two heuristic antivirus utilities were released: Flushot Plus by Ross Greenberg[28][29][30] and Anti4us by Erwin Lanting.[31] In his O'Reilly book, Malicious Mobile Code: Virus Protection for Windows, Roger Grimes described Flushot Plus as "the first holistic program to fight malicious mobile code (MMC)."[32]
Also in 1988, a mailing list named VIRUS-L[35] was started on the BITNET/EARN network where new viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of this mailing list were: Alan Solomon, Eugene Kaspersky (Kaspersky Lab), Fririk Sklason (FRISK Software), John McAfee (McAfee), Luis Corrons (Panda Security), Mikko Hyppnen (F-Secure), Pter Szőr, Tjark Auerbach (Avira) and Vesselin Bontchev (FRISK Software).[35]
In 1989, in Iceland, Fririk Sklason created the first version of F-PROT Anti-Virus (he founded FRISK Software only in 1993). Meanwhile, in the United States, Symantec (founded by Gary Hendrix in 1982) launched its first Symantec antivirus for Macintosh (SAM).[36][37] SAM 2.0, released March 1990, incorporated technology allowing users to easily update SAM to intercept and eliminate new viruses, including many that didn't exist at the time of the program's release.[38]
59fb9ae87f