Security Profile: Antivirus
Where Can I Use This? | What Do I Need? |
NGFW (Cloud Managed) NGFW (PAN-OS & Panorama Managed) Prisma Access (Cloud Managed) Prisma Access (Panorama Managed)
|
Check for any license or role requirements for the products you're
using: Prisma Access license or AIOps for NGFW license
|
Antivirus profiles protect against viruses, worms, and
trojans as well as spyware downloads. Using a stream-based malware
prevention engine, which inspects traffic the moment the first packet
is received, the Palo Alto Networks antivirus solution can provide
protection for clients without significantly impacting the performance.
This profile scans for a wide variety of malware in executables,
PDF files, HTML and JavaScript viruses, including support for scanning
inside compressed files and data encoding schemes. If you have enabled
decryption, the profile also enables scanning of decrypted content.
The default profile inspects all of the listed protocol decoders
for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols
while blocking for FTP, HTTP, and SMB protocols. You can configure
the action for a decoder or Antivirus signature and specify how
to respond to a threat event:
Default
—For each threat signature
and Antivirus signature that is defined by Palo Alto Networks, a
default action is specified internally. Typically, the default action
is an alert or a reset-both. The default action is displayed in
parenthesis, for example default (alert) in the threat or Antivirus
signature.
Allow
—Permits the application traffic.
The
Allow
action
does not generate logs related to the signatures or profiles.
Alert
—Generates an alert for each
application traffic flow. The alert is saved in the threat log.
Drop
—Drops the application traffic.
Reset Client
—For TCP, resets the client-side
connection. For UDP, drops the connection.
Reset Server
—For TCP, resets the server-side
connection. For UDP, drops the connection.
Reset Both
—For TCP, resets the connection
on both client and server ends. For UDP, drops the connection.
Customized profiles can be used to minimize antivirus inspection
for traffic between trusted security zones, and to maximize the
inspection of traffic received from untrusted zones, such as the
internet, as well as the traffic sent to highly sensitive destinations,
such as server farms.
The Palo Alto Networks
WildFire system also provides signatures for
persistent threats that are more evasive and have not yet been discovered by other
antivirus solutions. As threats are discovered by WildFire, signatures are quickly
created and then integrated into the standard Antivirus signatures that can be
downloaded by Threat Prevention subscribers on a daily basis (sub-hourly for WildFire
subscribers).
