Security Profile: Anti-Spyware
Focus
Focus
Network Security

Security Profile: Anti-Spyware

Table of Contents

Security Profile: Anti-Spyware

Detect connections initiated by spyware and various types of command-and-control (C2) malware installed on systems on your network.
Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Managed)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using.
Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients. You can apply various levels of protection between zones. For example, you may want to have custom Anti-Spyware profiles that minimize inspection between trusted zones, while maximizing inspection on traffic received from an untrusted zone, such as internet-facing zones. When using a Panorama management server, the Threat ID is mapped to the corresponding custom threat such that a threat log populated with the configured custom Threat ID is generated.
You can define your own custom Anti-Spyware profiles, or choose one of the following predefined profiles when applying Anti-Spyware to a Security rule:
  • Default—Uses the default action for every signature, as specified by Palo Alto Networks when the signature is created.
  • Strict—Overrides the default action of critical, high, and medium severity threats to the block action, regardless of the action defined in the signature file. This profile still uses the default action for low and informational severity signatures.
When a threat event is detected, you can configure the following actions in an Anti-Spyware profile:
  • Default—For each threat signature and Anti-Spyware signature that is defined by Palo Alto Networks, a default action is specified internally. Typically the default action is an alert or a reset-both. The default action is displayed in parenthesis, for example default (alert) in the threat or Antivirus signature.
  • Allow—Permits the application traffic.
    The Allow action does not generate logs related to the signatures or profiles.
  • Alert—Generates an alert for each application traffic flow. The alert is saved in the threat log.
  • Drop—Drops the application traffic.
  • Reset Client—For TCP, resets the client-side connection. For UDP, drops the connection.
  • Reset Server—For TCP, resets the server-side connection. For UDP, drops the connection.
  • Reset Both—For TCP, resets the connection on both client and server ends. For UDP, drops the connection.
    In some cases, when the profile action is set to reset-both, the associated threat log might display the action as reset-server. This occurs when a threat is detected at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset, and only the server-side connection is reset.
  • Block IP— This action blocks traffic from either a source or a source-destination pair. It's configurable for a specified period of time.
Rule order is important!
Rules are enforced from the top down, even when an Anti-Spyware profile has multiple rules of the same severity, much like those in a Security policy. Be sure to place rules you want to prioritize over other rules of the same severity higher on the list.

Configure an Anti-Spyware Profile

Configure an Anti-Spyware Profile (Strata Cloud Manager)

Detect connections initiated by spyware and various types of command and control (C2) malware installed on systems on your network.
You can attach an Anti-Spyware profile to a Security rule to detect connections initiated by spyware and various types of command and control (C2) malware installed on systems on your network. You can choose between two predefined Anti-Spyware profiles to attach to a Security rule. Each profile has a set of predefined rules (with threat signatures) organized by the severity of the threat; each threat signature includes a default action that is specified by Palo Alto Networks.
  • Default—The default profile uses the default action for critical, high, medium, and low severity signatures, as specified by the Palo Alto Networks content package when the signature is created. It does not include a signature policy for events classified as informational.
  • Strict—The strict profile overrides the action defined in the signature file for critical, high, and medium severity threats, and sets it to the reset-both action. The default action is taken with low and informational severity threats.
  • You can also create custom profiles. You can, for example, reduce the stringency for Anti-Spyware inspection for traffic between trusted security zones, and maximize the inspection of traffic received from the internet, or traffic sent to protected assets such as server farms.
Follow these steps to configure an Anti-Spyware profile.
  1. Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesAnti-Spyware.
  2. Add Profile.
  3. Configure the settings in this table:
    Anti-Spyware Profile Settings
    Description
    Name
    Enter a profile name (up to 31 characters). This name appears in the list of Anti-Spyware profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
    Description
    Enter a description for the profile (up to 255 characters).
    Anti-Spyware Rules
    Anti-Spyware rules allow you to define a custom severity and action to take on any threat, a specific threat name that contains the text that you enter, and/or by a threat category, such as adware.
    Add Rule, or select an existing rule and select Find Matching Signatures to filter threat signatures based on that rule.
    Rule Name
    Specify the rule name.
    Threat Name
    Enter any to match all signatures, or enter text to match any signature containing the entered text as part of the signature name.
    CategoryChoose a category, or choose any to match all categories.
    Action
    Choose an action for each threat.
    The Default action is based on the predefined action that is part of each signature provided by Palo Alto Networks.
    Packet Capture
    Select this option if you want to capture identified packets.
    Select single-packet to capture one packet when a threat is detected, or select the extended-capture option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context about the threat when analyzing the Threat logs.
    If the action for a given threat is allow, your configuration does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
    Enable extended-capture for critical, high, and medium-severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable extended-capture for informational and low-severity events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
    Severity
    Choose a severity level (critical, high, medium, low, or informational).
    Overrides
    Allows you to change the action for a specific signature. For example, you can generate alerts for a specific set of signatures and block all packets that match all other signatures. Threat exceptions are usually configured when false-positives occur. Ensure that you obtain the latest content updates so that you're protected against new threats and have new signatures for any false-positives.
    Overrides
    Add Override and Enable each threat for which you want to assign an action or select All to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.
    Click into the IP Address section to Add (+) IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature overrides the action for a rule only when the signature is triggered by a session with a source or destination IP address that matches an IP address in the exception. You can add up to 100 IP addresses per signature. With this option, you don't have to create a new security rule and a new vulnerability profile to create an exception for a specific IP address.
    Create an exception only if you're sure that a signature identified as spyware isn't a threat (it's a false positive). If you believe you discovered a false positive, open a support case with TAC so Palo Alto Networks can analyze and fix the incorrectly identified signature. As soon as the issue is resolved, remove the exception from the profile.
    Inline Cloud Analysis Tab
    Inline Cloud Analysis allows you to enable and configure the settings for real-time analysis of advanced C2 threats on a per detection engine basis.
    Enable cloud inline analysis—Enables real-time analysis of advanced C2 threats across all available deep inline cloud analysis engines.
    Available Analysis Engines
    For each available analysis engine representing a threat category, you can select one of the following actions that you want your configuration to enforce when a corresponding threat is detected:
    • Allow—The website is allowed and no log entry is generated.
    • Alert—The website is allowed and a log entry is generated in the URL filtering log.
    • Drop—Drops the traffic. A reset action isn't sent to the host/application.
    • Reset-Client—Resets the client-side connection.
    • Reset-Server—Resets the server-side connection.
    • Reset-Both—Resets the connection on both client and server ends.
    The default action for all analysis engines is alert.
    Exceptions
    Allows you to select a URL or IP address exception list that bypasses the inline cloud analysis engines. Exceptions can be specified using URLs and/or IP addresses. URL exceptions include an EDL (external dynamic list) or a custom URL category, while IP address exceptions include an EDL or an Address object. Click Add to view and select from the available options. You can select the following list types:
    • EDL URL—External Dynamic Lists containing a series of URLs or a custom URL category.
    • IP Address—IP address lists defined in an External Dynamic List or within an Address object.
      Only create IP address and URL exceptions when the identified threats don't pose a danger, such as in the case of a false-positive.
  4. Save your configuration.
    An Anti-Spyware profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate an Anti-Spyware profile (and any Security profile).

Configure an Anti-Spyware Profile (PAN-OS & Panorama)

Detect connections initiated by spyware and various types of command and control (C2) malware installed on systems on your network.
You can attach an Anti-Spyware profile to a Security rule to detect connections initiated by spyware and various types of command and control (C2) malware installed on systems on your network. You can choose between two predefined Anti-Spyware profiles to attach to a Security rule. Each profile has a set of predefined rules (with threat signatures) organized by the severity of the threat; each threat signature includes a default action that is specified by Palo Alto Networks.
  • Default—The default profile uses the default action for critical, high, medium, and low severity signatures, as specified by the Palo Alto Networks content package when the signature is created. It does not include a signature policy for events classified as informational.
  • Strict—The strict profile overrides the action defined in the signature file for critical, high, and medium severity threats, and sets it to the reset-both action. The default action is taken with low and informational severity threats.
  • You can also create custom profiles. You can, for example, reduce the stringency for Anti-Spyware inspection for traffic between trusted security zones, and maximize the inspection of traffic received from the internet, or traffic sent to protected assets such as server farms.
Follow these steps to configure an Anti-Spyware profile.
  1. Go to ObjectsSecurity ProfilesAnti-Spyware.
  2. Add a profile.
  3. Configure the settings in this table:
    Anti-Spyware Profile Settings
    Description
    Name
    Enter a profile name (up to 31 characters). This name appears in the list of Anti-Spyware profiles when defining Security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
    Description
    Enter a description for the profile (up to 255 characters).
    Shared (Panorama only)
    Select this option if you want the profile to be available to:
    • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab.
    • Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
    Disable override (Panorama only)
    Select this option to prevent administrators from overriding the settings of this Anti-Spyware profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
    Signature Policies Tab
    Anti-Spyware rules allow you to define a custom severity and action to take on any threat, a specific threat name that contains the text that you enter, and/or by a threat category, such as adware.
    Add a new rule, or you can select an existing rule and select Find Matching Signatures to filter threat signatures based on that rule.
    Rule Name
    Specify the rule name.
    Threat Name
    Enter any to match all signatures, or enter text to match any signature containing the entered text as part of the signature name.
    CategoryChoose a category, or choose any to match all categories.
    Action
    Choose an action for each threat.
    The Default action is based on the predefined action that is part of each signature provided by Palo Alto Networks. To view the default action for a signature, select ObjectsSecurity ProfilesAnti-Spyware and Add or select an existing profile. Click the Exceptions tab and then click Show all signatures to see a list of all signatures and the associated Action.
    For the best security, use the Action settings in the predefined strict profile.
    Packet Capture
    Select this option if you want to capture identified packets.
    Select single-packet to capture one packet when a threat is detected, or select the extended-capture option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context about the threat when analyzing the Threat logs. To view the packet capture, select MonitorLogsThreat, locate the log entry you're interested in, and then click the green down arrow in the second column. To define the number of packets to capture, select DeviceSetupContent-ID and then edit the Content-ID Settings.
    If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
    Enable extended-capture for critical, high, and medium-severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable extended-capture for informational and low-severity events because it’s not very useful compared to capturing information about higher-severity events and creates a relatively high volume of low-value traffic.
    Severity
    Choose a severity level (critical, high, medium, low, or informational).
    Signature Exceptions Tab
    Allows you to change the action for a specific signature. For example, you can generate alerts for a specific set of signatures and block all packets that match all other signatures. Threat exceptions are usually configured when false-positives occur. To make management of threat exceptions easier, you can add threat exceptions directly from the MonitorLogsThreat list. Ensure that you obtain the latest content updates so that you're protected against new threats and have new signatures for any false-positives.
    Exceptions
    Enable each threat for which you want to assign an action or select All to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.
    Use IP Address Exemptions to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature overrides the action for a rule only when the signature is triggered by a session with a source or destination IP address that matches an IP address in the exception. You can add up to 100 IP addresses per signature. With this option, you don't have to create a new security rule and a new vulnerability profile to create an exception for a specific IP address.
    Create an exception only if you're sure that a signature identified as spyware isn't a threat (it's a false positive). If you believe you discovered a false positive, open a support case with TAC so Palo Alto Networks can analyze and fix the incorrectly identified signature. As soon as the issue is resolved, remove the exception from the profile.
    DNS Policies Tab
    The DNS Policies settings provide an additional method of identifying infected hosts on a network. These signatures detect specific DNS lookups for hostnames that have been associated with DNS-based threats.
    You can configure specific DNS signature sources with separate policy actions, log severity level, and packet capture settings. Hosts that perform DNS queries for malware domains will appear in the botnet report. Additionally, you can specify sinkhole IPs in the DNS Sinkhole Settings if you're sinkholing malware DNS queries.
    DNS Signature Source
    Allows you to select the lists for which you want to enforce an action when a DNS query occurs. There are two default DNS signature policy options:
    • Palo Alto Networks Content—A local downloadable signature list that is updated through dynamic content updates.
    • DNS Security—A cloud-based DNS security service that performs pro-active analysis of DNS data and provides real-time access to the complete Palo Alto Networks DNS signature database.
      This service requires the purchase and activation of the DNS Security license in addition to a Threat Prevention license.
    • External Dynamic Lists—EDLs operating as a domain list can be used to enforce a specific action for a selection of domains, for example, as an alert list. By default, policy actions for domain lists are configured to Allow.
      An EDL allow list does not have precedence over the domain policy action specified under DNS Security. As a result, when there is a domain match to an entry in the EDL and a DNS Security domain category, the action specified under DNS Security is still applied, even when the EDL is explicitly configured with an action of allow. If you want to add DNS domain exceptions, either configure an EDL with an Alert action or add them to the DNS Domain/FQDN Allow List located in the DNS Exceptions tab.
    By default, the locally-accessed Palo Alto Networks Content DNS signatures are sinkholed, while the cloud-based DNS Security is set to allow. If you want to enable sinkholing using DNS Security, you must configure the action on DNS queries to sinkhole. The default address used for sinkholing belongs to Palo Alto Networks (sinkhole.paloaltonetworks.com). This address isn't static and can be modified through content updates on the firewall or Panorama.
    Add a new list and select the External Dynamic List of type Domain that you created.
    Log Severity
    Allows you to specify the log severity level that is recorded when the firewall detects a domain matching a DNS signature.
    Policy Action
    Choose an action to take when DNS lookups are made to known malware sites. The options are alert, allow, block, or sinkhole. The default action for Palo Alto Networks DNS signatures is sinkhole.
    The DNS sinkhole action provides administrators with a method of identifying infected hosts on the network using DNS traffic, even when the firewall is north of a local DNS server (for example, the firewall can't see the originator of the DNS query). When a threat prevention license is installed and an Anti-Spyware profile is enabled in a Security Profile, the DNS-based signatures trigger on DNS queries directed at malware domains. In a typical deployment where the firewall is north of the local DNS server, the Threat log identifies the local DNS resolver as the source of the traffic rather than the actual infected host. Sinkholing malware DNS queries solves this visibility problem by forging responses to the queries directed at malicious domains, so that clients attempting to connect to malicious domains (for command-and-control, for example) instead attempt connections to an IP address specified by the administrator. Infected hosts can then be easily identified in the Traffic logs because any host that attempts to connect to the sinkhole IP is most likely infected with malware.
    Enable DNS sinkhole when the firewall can’t see the originator of the DNS query (typically when the firewall is north of the local DNS server) so you can identify infected hosts. If you can’t sinkhole the traffic, block it.
    Packet Capture
    Select this option for a given source if you want to capture identified packets.
    Enable packet capture on sinkholed traffic so you can analyze it and get information about the infected host.
    DNS Sinkhole Settings
    After sinkhole action is defined for a DNS signature source, specify an IPv4 and/or IPv6 address that will be used for sinkholing. By default, the sinkhole IP address is set to a Palo Alto Networks server. You can then use the Traffic logs or build a custom report that filters on the sinkhole IP address and identify infected clients.
    The following is the sequence of events that will occur when a DNS request is sinkholed:
    Malicious software on an infected client computer sends a DNS query to resolve a malicious host on the internet.
    The client's DNS query is sent to an internal DNS server, which then queries a public DNS server on the other side of the firewall.
    The DNS query matches a DNS entry in the specified DNS signature database source, so the sinkhole action will be performed on the query.
    The infected client then attempts to start a session with the host, but uses the forged IP address instead. The forged IP address is the address defined in the Anti-Spyware profile DNS signatures tab when the sinkhole action is selected.
    The administrator is alerted of a malicious DNS query in the Threat log, and can then search the Traffic logs for the sinkhole IP address and can easily locate the client IP address that’s trying to start a session with the sinkhole IP address.
    Block DNS Record Types
    Select the DNS resource record types used by encrypted DNS queries that you want to block. This prevents the client from encrypting the client hello during the DNS resolution process, thereby blocking the exchange of any keying information.
    Options include SVCB (type 64), HTTPS (type 65), and ANY (type 255).
    To maintain the optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.
    DNS Exceptions Tab
    The DNS signature exceptions allow you to exclude specific threat IDs from policy enforcement as well as specify domain/FQDN allow lists for approved domain sources.
    To add specific threats that you want to exclude from the policy, select or search for a Threat ID and click Enable. Each entry provides the threat Threat ID, Name, and FQDN of the object.
    To Add a domain or FQDN allow list, provide the location of the allow list as well as an appropriate description.
    Inline Cloud Analysis Tab
    Inline Cloud Analysis allows you to enable and configure the settings for real-time analysis of advanced C2 threats on a per detection engine basis.
    Enable cloud inline analysis—Enables real-time analysis of advanced C2 threats across all available deep inline cloud analysis engines.
    Available Analysis Engines
    For each available analysis engine representing a threat category, you can select one of the following actions that you want the firewall to enforce when a corresponding threat is detected:
    • Allow—The website is allowed and no log entry is generated.
    • Alert—The website is allowed and a log entry is generated in the URL filtering log.
    • Drop—Drops the traffic. A reset action isn't sent to the host/application.
    • Reset-Client—Resets the client-side connection.
    • Reset-Server—Resets the server-side connection.
    • Reset-Both—Resets the connection on both client and server ends.
    The default action for all analysis engines is alert.
    Exclude from Inline Cloud Analysis
    Allows you to select a URL or IP address exception list that bypasses the inline cloud analysis engines. Exceptions can be specified using URLs and/or IP addresses. URL exceptions include an EDL (external dynamic list) or a custom URL category, while IP address exceptions include an EDL or an Address object. Click Add to view and select from the available options. You can select the following list types:
    • EDL URL—External Dynamic Lists containing a series of URLs or a custom URL category.
    • IP Address—IP address lists defined in an External Dynamic List or within an Address object.
      Only create IP address and URL exceptions when the identified threats don't pose a danger, such as in the case of a false-positive.
  4. Select OK to save your configuration.