: Objects > Security Profiles > Antivirus
Focus
Focus

Objects > Security Profiles > Antivirus

Table of Contents
End-of-Life (EoL)

Objects > Security Profiles > Antivirus

Use the Antivirus Profiles page to configure options to have the firewall scan for viruses on the defined traffic. Set the applications that should be inspected for viruses and the action to take when a virus is detected. The default profile inspects all of the listed protocol decoders for viruses, generates alerts for Simple Mail Transport Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office Protocol Version 3 (POP3), and takes the default action for other applications (alert or deny), depending on the type of virus detected. The profile will then be attached to a Security policy rule to determine the traffic traversing specific zones that will be inspected.
Customized profiles can be used to minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of traffic received from untrusted zones, such as the Internet, as well as the traffic sent to highly sensitive destinations, such as server farms.
To add a new Antivirus profile, select Add and enter the following settings:
Field
Description
Name
Enter a profile name (up to 31 characters). This name appears in the list of antivirus profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
Description
Enter a description for the profile (up to 255 characters).
Shared
(Panorama only)
Select this option if you want the profile to be available to:
  • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab.
  • Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this Antivirus profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
Action Tab
Specify the action for the different types of traffic, such as FTP and HTTP.
Enable Packet Capture
Select this option if you want to capture identified packets.
Hold for WildFire Real Time Signature Look Up
Select this option if you want to hold packets until the firewall completes a real time signature lookup against the real-time signature cloud.
You must also globally enable Hold for WildFire Real Time Signature Look Up in Device > Setup > Content-ID before hold mode is fully enabled.
Decoders and Actions
For each type of traffic that you want to inspect for viruses, select an action from the drop-down. You can define different actions for standard antivirus signatures (Signature Action column), signatures generated by the WildFire system (WildFire Signature Action column), and malicious threats detected in real-time by the WildFire Inline ML models (WildFire Inline ML Action column).
Some environments may have requirements for a longer soak time for antivirus signatures, so this option enables the ability to set different actions for the two antivirus signature types provided by Palo Alto Networks. For example, the standard antivirus signatures go through a longer soak period before being released (24 hours), versus WildFire signatures, which can be generated and released within 15 minutes after a threat is detected. Because of this, you may want to choose the alert action on WildFire signatures instead of blocking.
For the best security, clone the default Antivirus profile and set the Action and WildFire Action for all the decoders to reset-both and attach the profile to all Security policy rules that allow traffic.
Application Exceptions and Actions
The Applications Exceptions table allows you to define applications that will not be inspected. For example, to block all HTTP traffic except for a specific application, you can define an antivirus profile for which the application is an exception. Block is the action for the HTTP decoder, and Allow is the exception for the application. For each application exception, select the action to be taken when the threat is detected. For a list of actions, see Actions in Security Profiles.
To find an application, start typing the application name in the text box. A matching list of applications is displayed, and you can make a selection.
If you believe a legitimate application is incorrectly identified as carrying a virus (false positive), open a support case with TAC so Palo Alto Networks can analyze and fix the incorrectly identified virus. When the issue is resolved, remove the exception from the profile.
Signature Exceptions Tab
Use the Signature Exception tab to define a list of threats that will be ignored by the antivirus profile.
Only create an exception if you are sure an identified virus is not a threat (false positive). If you believe you have discovered a false positive, open a support case with TAC so Palo Alto Networks can analyze and fix the incorrectly identified virus signature. When the issue is resolved, remove the exception from the profile immediately.
Threat ID
To add specific threats that you want to ignore, enter one Threat ID at a time and click Add. Threat IDs are presented as part of the threat log information. Refer to Monitor > Logs.
WildFire Inline ML Tab
Use the WildFire Inline ML tab to enable and configure real-time WildFire analysis of files using a firewall-based machine learning model.
Palo Alto Networks recommends forwarding samples to the WildFire cloud when Wildfire inline ML is enabled. This allows samples that trigger a false-positive to be automatically corrected upon secondary analysis. Additionally, it provides data for improving ML models for future updates.
Available Models
For each available WildFire inline ML Model, you can select one of the following action settings:
  • enable (inherit per-protocol actions)—Traffic is inspected according to your selections in the WildFire Inline ML Action column in the decoders section of the Action tab.
  • alert-only (override more strict actions to alert)—Traffic is inspected according to your selections in the WildFire Inline ML Action column in the decoders section of the Action tab. Any action with a severity level higher than alert (drop, reset-client, reset-server, reset-both) will be overridden to alert, allowing traffic to pass while generating and saving an alert in the threat logs.
  • disable (for all protocols)—Traffic is allowed to pass without any policy action.
File Exceptions
The File Exceptions table allows you to define specific files that you do not want analyzed, such as false-positives.
To create a new file exception entry, Add a new entry and provide the partial hash, filename, and description of the file that you want to exclude from enforcement.
To find an existing file exception, start typing the partial hash value, file name, or description in the text box. A list of file exceptions matching any of those values are displayed.
You can find partial hashes in the threat logs (Monitor > Logs > Threat).