Palo Alto Networks Knowledgebase: How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats

How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats

11146
Created On 08/05/19 19:22 PM - Last Updated 08/05/19 19:48 PM
Threat Intelligence Threat Prevention
Resolution

This document describes how to use Anti-Spyware, Vulnerability Protection, and Antivirus Exceptions to change actions for specific threats on Palo Alto Networks firewalls.

 

vulnerability exception.png

 

Anti-Spyware or Vulnerability Protection Exceptions

For example: Add an Anti-Spyware Exception for threat ID #30003 to an existing profile named "Threat_exception_test_profile"

  1. Go to Objects > Security Profiles > 'Anti-Spyware' or 'Vulnerability Protection'
  2. Select the existing profile
  3. click the "Exceptions" tab.
  4. First, check the "Show all signatures" checkbox at the lower left hand part of the profile window.
  5. In the search field, enter a string as "( ex. 'microsoft' )" or simply enter the threat ID number itself (ex. 30003). Press enter or click the green arrow to initiate the search.
    Note: If the signature being searched for was just applied in the latest dynamic update operation and it is not being returned in the search results, log out of the Web UI and then log back in to clear the GUI cache.
  6. The results will return "Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability" (which is threat ID #30003).
    Note: Threat IDs can be easily determined from the threat logs.
  7. To enable this exception, check the 'Enable' box
  8. change the default 'Action' value to handle the non-excluded traffic. To allow the traffic, select Allow, or to drop the traffic select Drop.
    2016-12-19_exceptions threats2.pngThreat Action detail - change default action.
  9. Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. You can add up to 100 IP addresses per signature. With this option, you do not have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address. In order to exclude certain IP addresses, and not all traffic, please click on the blank under "IP Address Exemptions", click Add at the bottom, and then add up to 100 IP's as you want into the list. 
    2016-12-19_exceptions threats3.pngIP Address Exemption detail.

  10. Make sure that Anti-Spyware and or Vulnerability Protection profiles are applied to the appropriate security policies.
  11. Commit changes to enable the Exception. 

 

Antivirus Exceptions

For example, to add an antivirus exception for threat ID #253879 to an existing profile named "AV_exception_test_profile":
(Note: Be aware that if you exclude a Virus from bring checked against, this is all or nothing, you cannot exclude just an IP from this protection, it would be all that is allowed on that rule/antivirus policy).

  1. Go to Objects > Security Profiles > Antivirus.
  2. In the existing the profile, click on the Virus Exception tab.
  3. Enter the ID value (for this example, 253879 ) into the Threat Id field at the bottom of the page, and click Add.
    Note: The threat id can be determined from the threat logs.
  4. For this example, an exception for "Win32/Virus.Generic.koszy" is created.
    2016-12-19_exceptions antivirus1.pngAntiVirus - Virus Excemption window detail.
  5. Make sure that Antivirus profiles are applied to the appropriate security policies.
  6. There is no option to exclude just certain IP addresses with an AntiVirus Exception.
  7. Commit the changes to make this take affect.

 

owner: kadak



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language