: Transition Antivirus Profiles Safely to Best Practices
Focus
Focus

Transition Antivirus Profiles Safely to Best Practices

Table of Contents

Transition Antivirus Profiles Safely to Best Practices

Apply Antivirus profiles to allow rules to protect against viruses and malware without risking application availability.
The following guidance helps determine whether to start with block or alert actions when you clone the default Antivirus profile and modify it to define the initial profiles and begin the transition to best practice profiles.
Antivirus requires an Advanced Threat Prevention or active legacy Threat Prevention subscription.
To identify and prevent threats, the firewall must have visibility into application traffic. Decrypt as much traffic as local regulations, business considerations, privacy considerations, and technical ability allow. If you don’t decrypt traffic, the firewall can’t analyze encrypted headers and payload information.
In addition, follow Threats Content Update best practices to ensure that your Security profile signatures are up to date.
  • Business-critical applications—Set the initial action to alert to ensure application availability. However, in some situations you can block Antivirus signatures from the start. For example, when you’re already protecting similar applications with an Antivirus profile and you’re confident the profile meets your business and security needs, you can use a similar profile to protect similar applications because you already understand what you’re blocking.
    The alert action enables you to analyze Threat logs (MonitorLogsThreat) and create exceptions when necessary before moving to a block action. Alerting and monitoring before moving to blocking gives you confidence that:
    • The profile won’t block business-critical applications when you deploy it.
    • You create necessary exceptions as you transition to the blocking state to maintain application availability.
    Keep the length of time you maintain the initial alert action to a minimum to reduce the chance of a security incident. Transition to the best practice state as soon as you’re comfortable you’ve identified any exceptions you need to make and configure the profile accordingly.
  • Critical and high severity signatures—It’s safe to deploy best practices Antivirus profiles to block malicious traffic for applications that aren’t critical to your business right away because false positive rates are rare, so unnecessary blocking rarely occurs.
  • If you treat internal applications differently than external applications, you might need an Antivirus profile for internet-facing traffic and another Antivirus profile for internal traffic.
  • Enable real-time signature lookup globally on the device and in the Antivirus profile to hold files until the firewall receives the latest real-time antivirus signature from the cloud:
    • Enable globallyDeviceSetupContent-IDContent-ID SettingsRealtime Signature Lookup, enable Hold for WildFire Real Time Signature Look Up, and set the Action On Real Time Signature Timeout to Reset Both. You must enable real-time signature lookup globally to enable in Antivirus profiles.
    • Enable in Antivirus profileObjectsSecurity ProfilesAntivirus and enable Hold for WildFire Real Time Signature Look Up.
    Holding files to ensure that WildFire gets the latest antivirus signatures protects you from zero-day malware and outdated antivirus signatures that you might be exposed to if you forward files without holding them for the latest signatures.
  • WildFire Action settings in the Antivirus profile might impact traffic if the traffic generates a WildFire signature that results in a reset or drop action.
When you have the initial profiles in place, monitor the Threat logs for enough time to gain confidence that you understand whether any business-critical applications cause alerts or blocks. Also monitor the WildFire Submissions logs (MonitorLogsWildFire Submissions) for enough time to gain confidence that you understand whether any business-critical applications cause alerts or blocks due to the Antivirus profile WildFire Action. Create exceptions (open a support ticket if necessary) in each profile as needed to remediate any confirmed false positives before you implement full best-practice Antivirus profiles. The speed of your transition to best practices profiles depends on your business, applications, and comfort level—be aware that some applications are only used weekly, monthly, quarterly, or yearly for audits, periodic events and meetings, etc.