How to Use a Vulnerability Protection Profile to Block a .exe File

How to Use a Vulnerability Protection Profile to Block a .exe File

22154
Created On 09/25/18 17:59 PM - Last Modified 06/13/23 05:07 AM


Resolution


Overview

This document explains how to use a Vulnerability Protection Profile to block the picasa.exe file without blocking all .exe files.

 

Steps

Find and Copy the Pattern:

  1. Run Wireshark on the PC.
  2. Download picasa.exe from the website.
  3. Go through the Wireshark capture, of that particular stream, by searching "http" packets (refer to image).  Also, you can follow the stream to get more details of the GET packet.

    ss1.gif

  4. Copy the GET pattern or copy picasa38-setup.exe as shown above.

 

Create a Custom Signature

  1. Create a Custom Signature under the following tabs:
    • Object > Custom Signatures > Vulnerability > Add > Configuration

      ss2.gif

    • Add a Threat ID ranging between 41000 - 45000.
    • Add the severity and direction. Critical and Both are chosen.
    • Add the pattern shown below under Signature.

      ss3.gif

Create a Vulnerability Protection Profile

  1. Create a Vulnerabiltiy Protection Profile under the following tab:
    • Objects > Vulnerability Protection > Add.
    • Select the custom signature (as shown below).

      ss4.gif

    • Select Drop or the action needed.
  2. Add this profile to the rule.

    ss5.gif

  3. Commit the changes.

 

Test the Rule

  1. Try downloading the picasa.exe file and see the threat logs under the Monitor tab.

    ss6.gif

  2. Log Details:

    ss7.gif

 

owner: panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMNCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language