Objects > Security Profiles > Anti-Spyware Profile
Table of Contents
Objects > Security Profiles > Anti-Spyware Profile
You can attach an Anti-Spyware profile to a Security
policy rule to detect connections initiated by spyware and command-and-control (C2)
malware installed on systems on your network. You can choose between
two predefined Anti-Spyware profiles to attach to a Security policy
rule. Each profile has a set of predefined rules (with threat signatures)
organized by the severity of the threat; each threat signature includes
a default action that is specified by Palo Alto Networks.
- Default—The default profile uses the default action for critical, high, medium, and low severity signatures, as specified by the Palo Alto Networks content package when the signature is created. It does not include a signature policy for events classified as informational.
- Strict—The strict profile overrides the action defined in the signature file for critical, high, and medium severity threats, and sets it to the reset-both action. The default action is taken with low and informational severity threats.
- You can also create custom profiles. You can, for example, reduce the stringency for Anti-Spyware inspection for traffic between trusted security zones, and maximize the inspection of traffic received from the internet, or traffic sent to protected assets such as server farms.
The following tables describe the Anti-Spyware profile
![]()
settings:
Anti-Spyware Profile
Settings | Description |
|---|---|
Name | Enter a profile name (up to 31 characters).
This name appears in the list of Anti-Spyware profiles when defining
security policies. The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, periods, and underscores. |
Description | Enter a description for the profile (up
to 255 characters). |
Shared (Panorama only) | Select this option if you want the profile
to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this Anti-Spyware profile in device
groups that inherit the profile. This selection is cleared by default,
which means administrators can override the settings for any device
group that inherits the profile. |
Rules Tab Anti-Spyware
rules allow you to define a custom severity and action to take on
any threat, a specific threat name that contains the text that you
enter, and/or by a threat category, such as adware. Add a
new rule, or you can select an existing rule to and select Find
Matching Signatures to filter threat signatures based
on that rule. | |
Rule Name | Specify the rule name. |
Threat Name | Enter any to match
all signatures, or enter text to match any signature containing
the entered text as part of the signature name. |
| Category | Choose a category, or choose any to match all categories. |
Action | Choose an action for each threat. For a
list of actions, see Actions
in Security Profiles. For the
best security, use the Action settings in the predefined strict profile. |
Packet Capture | Select this option if you want to capture
identified packets. Select single-packet to
capture one packet when a threat is detected, or select the extended-capture option
to capture from 1 to 50 packets (default is 5 packets). Extended-capture
provides more context about the threat when analyzing the threat
logs. To view the packet capture, select , locate
the log entry you are interested in, and then click the green down
arrow in the second column. To define the number of packets to capture,
select and then edit the Content-ID™
Settings. If the action for a given threat is allow, the firewall
does not trigger a Threat log and does not capture packets. If the
action is alert, you can set the packet capture to single-packet
or extended-capture. All blocking actions (drop, block, and reset
actions) capture a single packet. The content package on the device
determines the default action. Enable
extended-capture for critical, high, and medium severity events.
Use the default extended-capture value of 5 packets, which provides
enough information to analyze the threat in most cases. (Too much
packet capture traffic may result in dropping packet captures.)
Don’t enable extended-capture for informational and low severity
events because it’s not very useful compared to capturing information
about higher severity events and creates a relatively high volume
of low-value traffic. |
Severity | Choose a severity level (critical, high, medium, low,
or informational). |
Exceptions Tab Allows
you to change the action for a specific signature. For example,
you can generate alerts for a specific set of signatures and block
all packets that match all other signatures. Threat exceptions are
usually configured when false-positives occur. To make management
of threat exceptions easier, you can add threat exceptions directly
from the list. Ensure that you
obtain the latest content updates so that you are protected against
new threats and have new signatures for any false-positives. | |
Exceptions | Enable each threat
for which you want to assign an action or select All to
respond to all listed threats. The list depends on the selected
host, category, and severity. If the list is empty, there are no
threats for the current selections. Use IP Address Exemptions
to add IP address filters to a threat exception. If IP addresses
are added to a threat exception, the threat exception action for
that signature overrides the action for a rule only when the signature
is triggered by a session with a source or destination IP address
that matches an IP address in the exception. You can add up to 100
IP addresses per signature. With this option, you do not have to
create a new policy rule and new vulnerability profile to create
an exception for a specific IP address. Create
an exception only if you are sure that a signature identified as
spyware is not a threat (it is a false positive). If you believe
you discovered a false positive, open a support case with TAC so
Palo Alto Networks can analyze and fix the incorrectly identified
signature. As soon as the issue is resolved, remove the exception from
the profile. |
DNS Signatures Tab The DNS
Signatures settings provides an additional method of identifying
infected hosts on a network. These signatures detect specific DNS
lookups for host names that have been associated with malware. | |
| Policies & Settings Tab The DNS
Signature Policies allows you to select and configure DNS
signature policy sources to allow, alert, sinkhole, or block when
these queries are observed, just as with regular antivirus signatures.
Hosts that perform DNS queries for malware domains will appear in
the botnet report. Additionally, you can specify sinkhole IPs in
the DNS Sinkhole Settings if you are sinkholing
malware DNS queries. | |
| DNS Signature Source | Allows you to select the lists for which
you want to enforce an action when a DNS query occurs. There are
two default DNS signature policy options:
By
default, the locally-accessed Palo Alto Networks Content DNS signatures
are sinkholed, while the cloud-based DNS Security is set to allow.
If you want to enable sinkholing using DNS Security, you must configure
the action on DNS queries to sinkhole. The default address used
for sinkholing belongs to Palo Alto Networks (sinkhole.paloaltonetworks.com).
This address is not static and can be modified through content updates
on the firewall or Panorama. Add a
new list and select the External Dynamic List of type Domain that
you created. To create a new list, see Objects
> External Dynamic Lists. |
Action on DNS queries | Choose an action to take when DNS lookups
are made to known malware sites. The options are alert, allow, block,
or sinkhole. The default action for Palo
Alto Networks DNS signatures is sinkhole. The
DNS sinkhole action provides administrators with a method of identifying
infected hosts on the network using DNS traffic, even when the firewall
is north of a local DNS server (for example, the firewall cannot
see the originator of the DNS query). When a threat prevention license
is installed and an Anti-Spyware profile is enabled in a Security
Profile, the DNS-based signatures trigger on DNS queries directed
at malware domains. In a typical deployment where the firewall is
north of the local DNS server, the threat log identifies the local
DNS resolver as the source of the traffic rather than the actual infected
host. Sinkholing malware DNS queries solves this visibility problem
by forging responses to the queries directed at malicious domains,
so that clients attempting to connect to malicious domains (for
command-and-control, for example) instead attempt connections to
an IP address specified by the administrator. Infected hosts can then
be easily identified in the traffic logs because any host that attempts
to connect to the sinkhole IP are most likely infected with malware. Enable DNS sinkhole when the firewall can’t
see the originator of the DNS query (typically when the firewall
is north of the local DNS server) so you can identify infected hosts.
If you can’t sinkhole the traffic, block it. |
Packet Capture | Select this option for a given source if
you want to capture identified packets. Enable
packet capture on sinkholed traffic so you can analyze it and get
information about the infected host. |
| DNS Sinkhole Settings | After sinkhole action is defined for a DNS
signature source, specify an IPv4 and/or IPv6 address that will
be used for sinkholing. By default, the sinkhole IP address is set
to a Palo Alto Networks server. You can then use the traffic logs
or build a custom report that filters on the sinkhole IP address
and identify infected clients. The following is the sequence
of events that will occur when an DNS request is sinkholed: Malicious
software on an infected client computer sends a DNS query to resolve
a malicious host on the Internet. The client's DNS query is
sent to an internal DNS server, which then queries a public DNS
server on the other side of the firewall. The DNS query matches
a DNS entry in the specified DNS signature database source, so the
sinkhole action will be performed on the query. The infected
client then attempts to start a session with the host, but uses
the forged IP address instead. The forged IP address is the address
defined in the Anti-Spyware profile DNS Signatures tab when the
sinkhole action is selected. The administrator is alerted
of a malicious DNS query in the threat log, and can then search
the traffic logs for the sinkhole IP address and can easily locate
the client IP address that is trying to start a session with the
sinkhole IP address. |
| Exceptions Tab The DNS
signature Exceptions allow
you to exclude specific threat IDs from policy enforcement. To
add specific threats that you want to exclude from policy, select
or search for a Threat ID and click Enable.
Each entry provides the threat ID, Name,
and FQDN of the object. | |