Transition Anti-Spyware Profiles Safely to Best Practices
Apply Anti-Spyware profiles to allow rules to protect
against command and control attacks without risking application
availability.
Use the following guidance to help determine
whether to start with block or alert actions as you define the initial
Anti-Spyware profiles and begin the transition to best practice
profiles.
Anti-Spyware requires a Threat Prevention subscription.
- False positive rates for critical and high severity signatures are typically low. For applications that aren’t critical to your business, such as internet access, block critical and high severity signatures from the start.
- Medium severity signatures may generate false positives and require initial monitoring. Start by alerting on medium severity signatures and monitor the Threat logs () to see if you can block applications for which you receive alerts or if you need to allow them.
- Set the action for DNS signatures (default-paloalto-dns) to sinkhole to identify potentially compromised hosts that attempt to access suspicious domains by tracking the hosts and preventing them from accessing those domains. (This is the best practice configuration and you should configure DNS sinkhole right away.)Allow traffic only to sanctioned DNS servers. Use the DNS Security service to prevent connections to malicious DNS servers.
- The default action for most low and informational severity signatures is alert or allow. Unless you have a specific need to alert on all low and informational signatures, configure the default action from the start.
- For business-critical applications, it’s usually best to set the initial action to alert to ensure application availability. However, in some situations you can use the block action from the start. For example, when you’re already protecting similar applications with an Anti-Spyware profile that blocks critical, high, and/or medium signatures, and you’re confident the profile meets your business and security needs, you can use a similar profile to block spyware and protect the similar applications.The alert action enables you to analyze Threat logs and create exceptions when necessary before moving to a block action. Alerting and monitoring before moving to blocking gives you confidence the profile won’t block business-critical applications when you deploy the initial profile and that you’ll maintain application availability by creating necessary exceptions as you transition to the best practice blocking state. Keep the length of time you maintain the initial alert action to a minimum to reduce the chance of a security breach. Transition to the best practice state as soon as you’re comfortable you’ve identified any exceptions you need to make and configure the profile accordingly.
Enable single packet capture for all
severity signatures. Enabling packet capture allows you to investigate
events in greater detail if necessary. As you move to best practice
profiles, if low and informational events create too much packet
capture activity (too large a volume of traffic) and the information
isn’t particularly useful, you can transition to disabling packet
capture on these severities.
When you have the initial profiles in place, monitor the Threat
logs for enough time to gain confidence you understand whether any
business-critical applications cause alerts or blocks. Create exceptions
(open a support ticket if necessary) in each profile as needed to
remediate any confirmed false positives before you implement full
best-practice Anti-Spyware profiles for the internet gateway or for
the data center.
