Malware Protection Policy Best Practices
The key principle when defining a malware protection policy is to minimize the chance of infection from known and unknown malware. To achieve this goal, the best practice malware protection policy uses WildFire rules that enable Traps to identify and block all known threats and send unknown files for analysis and identification by WildFire. In addition, the best practice malware protection policy enables Traps to take advantage of built-in mechanisms to analyze unknown files and determine the likelihood of malware. Consider the following recommendations when creating a malware protection policy:
- Enable WildFire integrationto allow Traps to evaluate files based on their WildFire verdicts. WildFire integration is automatically enabled in the default policy. Therefore, if you need to create new WildFire rules, ensure thatWildFire ActivationisOn. See Configure a WildFire Rule.
- Blockthe execution ofmalware. The easiest way to prevent malware from causing harm to your endpoints is to block its execution. To do this, theActionin the WildFire policy for executable, DLL, and Microsoft Office files (containing macros) must be set toPrevention. Because the default policy configures this setting, we recommend that you leave the default setting, or if you need to create new rules, configure each rule to inherit the action from the preceding rule in the hierarchy. If all user-defined rules inherit the action from the previous rule in the rule hierarchy, the rules will inherit the definition from the default policy. See Configure a WildFire Rule.
- Enable Traps to submit unknown filesto the ESM Server and enable the ESM Server to send those samples to WildFire for analysis. By submitting the samples, you take advantage of advanced WildFire threat intelligence which enables analysis and identification of zero-day malware. WildFire also makes information about newly-discovered files available globally to other ESMs (upon query) and to Palo Alto Networks firewalls (within minutes). This enables you and other Palo Alto Networks customers to transform unknown samples to known samples thus reducing the time spent determining the nature of the unknown file. Because the default policy configures this setting, no additional action is required to enable this functionality. However, if you need to create new rules, ensure that you configure theUnknown Verdict Configurationto block unknown executables and enable Traps agents toUpload Files for WildFire Analysis. See Set Up the ESM to Communicate with WildFire.
- Enable Traps to perform Local analysison unknown files to determine if they are likely to be malware. Local analysis uses a statistical model that was developed using machine learning on WildFire threat intelligence. When enabled, local analysis uses the model to issue a local verdict for the file. Traps simultaneously queries the ESM Server for a verdict for the unknown file but can use the local analysis verdict until the ESM Server responds with either an official WildFire verdict or administrative hash control policy. Because the default policy configures this setting, no additional action is required to enable this functionality. However, if you need to create new rules, ensure that you enable local analysis. See Configure a WildFire Rule.
- Enable automated content update. Each content update packages the latest Palo Alto Networks threat intelligence into a default security policy file. The content update can include changes to the list of trusted signers, local analysis model, compatibility rules, and default rule configuration settings. By enabling automated content updates, you can ensure that your endpoints automatically take advantage of this threat intelligence. See Content Updates.
Recommended For You
Recommended videos not found.