Network Security
Configure an Anti-Spyware Profile (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Configure an Anti-Spyware Profile (Strata Cloud Manager)
Detect connections initiated by spyware and various types of command and control (C2)
malware installed on systems on your network.
You can attach an Anti-Spyware profile to a Security rule to detect
connections initiated by spyware and various types of command and control (C2)
malware installed on systems on your network. You can choose between two predefined
Anti-Spyware profiles to attach to a Security rule. Each profile has a set of
predefined rules (with threat signatures) organized by the severity of the threat;
each threat signature includes a default action that is specified by
Palo Alto Networks.
-
Default—The default profile uses the default action for critical, high, medium, and low severity signatures, as specified by the Palo Alto Networks content package when the signature is created. It does not include a signature policy for events classified as informational.
-
Strict—The strict profile overrides the action defined in the signature file for critical, high, and medium severity threats, and sets it to the reset-both action. The default action is taken with low and informational severity threats.
-
You can also create custom profiles. You can, for example, reduce the stringency for Anti-Spyware inspection for traffic between trusted security zones, and maximize the inspection of traffic received from the internet, or traffic sent to protected assets such as server farms.
Follow these steps to configure an Anti-Spyware profile.
- Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesAnti-Spyware.
- Add Profile.
- Configure the settings in this table:Anti-Spyware Profile SettingsDescriptionNameEnter a profile name (up to 31 characters). This name appears in the list of Anti-Spyware profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.DescriptionEnter a description for the profile (up to 255 characters).Anti-Spyware RulesAnti-Spyware rules allow you to define a custom severity and action to take on any threat, a specific threat name that contains the text that you enter, and/or by a threat category, such as adware.Add Rule, or select an existing rule and select Find Matching Signatures to filter threat signatures based on that rule.Rule NameSpecify the rule name.Threat NameEnter any to match all signatures, or enter text to match any signature containing the entered text as part of the signature name.
Category Choose a category, or choose any to match all categories. ActionChoose an action for each threat.The Default action is based on the predefined action that is part of each signature provided by Palo Alto Networks.Packet CaptureSelect this option if you want to capture identified packets.Select single-packet to capture one packet when a threat is detected, or select the extended-capture option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context about the threat when analyzing the Threat logs.If the action for a given threat is allow, your configuration does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.Enable extended-capture for critical, high, and medium-severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable extended-capture for informational and low-severity events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.SeverityChoose a severity level (critical, high, medium, low, or informational).OverridesAllows you to change the action for a specific signature. For example, you can generate alerts for a specific set of signatures and block all packets that match all other signatures. Threat exceptions are usually configured when false-positives occur. Ensure that you obtain the latest content updates so that you're protected against new threats and have new signatures for any false-positives.OverridesAdd Override and Enable each threat for which you want to assign an action or select All to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.Click into the IP Address section to Add (+) IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature overrides the action for a rule only when the signature is triggered by a session with a source or destination IP address that matches an IP address in the exception. You can add up to 100 IP addresses per signature. With this option, you don't have to create a new security rule and a new vulnerability profile to create an exception for a specific IP address.Create an exception only if you're sure that a signature identified as spyware isn't a threat (it's a false positive). If you believe you discovered a false positive, open a support case with TAC so Palo Alto Networks can analyze and fix the incorrectly identified signature. As soon as the issue is resolved, remove the exception from the profile.Inline Cloud Analysis TabInline Cloud Analysis allows you to enable and configure the settings for real-time analysis of advanced C2 threats on a per detection engine basis.Enable cloud inline analysis—Enables real-time analysis of advanced C2 threats across all available deep inline cloud analysis engines.Available Analysis Engines For each available analysis engine representing a threat category, you can select one of the following actions that you want your configuration to enforce when a corresponding threat is detected:-
Allow—The website is allowed and no log entry is generated.
-
Alert—The website is allowed and a log entry is generated in the URL filtering log.
-
Drop—Drops the traffic. A reset action isn't sent to the host/application.
-
Reset-Client—Resets the client-side connection.
-
Reset-Server—Resets the server-side connection.
-
Reset-Both—Resets the connection on both client and server ends.
The default action for all analysis engines is alert.Exceptions Allows you to select a URL or IP address exception list that bypasses the inline cloud analysis engines. Exceptions can be specified using URLs and/or IP addresses. URL exceptions include an EDL (external dynamic list) or a custom URL category, while IP address exceptions include an EDL or an Address object. Click Add to view and select from the available options. You can select the following list types:-
EDL URL—External Dynamic Lists containing a series of URLs or a custom URL category.
-
IP Address—IP address lists defined in an External Dynamic List or within an Address object.Only create IP address and URL exceptions when the identified threats don't pose a danger, such as in the case of a false-positive.
-
- Save your configuration.An Anti-Spyware profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate an Anti-Spyware profile (and any Security profile).