How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats

How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats

60698
Created On 09/25/18 19:45 PM - Last Modified 08/06/21 02:20 AM


Symptom
This document describes how to use Anti-Spyware, Vulnerability Protection, and Antivirus Exceptions to change actions for specific threats on the Palo Alto Network Firewalls.

Environment
  • Palo Alto Firewall
  • PAN-OS 8.1 and above.
  • Anti-Spyware, Vulnerability or Antivirus Exceptions


Resolution

Anti-Spyware or Vulnerability Protection Exceptions

For example: Add an Anti-Spyware Exception for threat ID #30003 to an existing profile named "Threat_exception_test_profile"

  1. Go to Objects > Security Profiles > 'Anti-Spyware' or 'Vulnerability Protection'
  2. Select the existing profile
  3. click the "Exceptions" tab.
  4. First, check the "Show all signatures" checkbox at the lower left hand part of the profile window.
  5. In the search field, enter a string as "( ex. 'microsoft' )" or simply enter the threat ID number itself (ex. 30003). Press enter or click the green arrow to initiate the search.
    Note: If the signature being searched for was just applied in the latest dynamic update operation and it is not being returned in the search results, log out of the Web UI and then log back in to clear the GUI cache.
  6. The results will return "Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability" (which is threat ID #30003).
    Note: Threat IDs can be easily determined from the threat logs.
  7. To enable this exception, check the 'Enable' box
  8. change the default 'Action' value to handle the non-excluded traffic. To allow the traffic, select Allow, or to drop the traffic select Drop.
     

vulnerability exception.png

2016-12-19_exceptions threats2.png
Threat Action detail - change default action.
  1. Use the IP Address Exceptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. You can add up to 100 IP addresses per signature. With this option, one does not need have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address. In order to exclude certain IP addresses, and not all traffic, click on the blank under "IP Address Exemptions", click Add at the bottom. One can add up to 100 IP addresses to the list.
     
2016-12-19_exceptions threats3.png
IP Address Exemption detail.
 
  1. Make sure that Anti-Spyware and or Vulnerability Protection profiles are applied to the appropriate security policies.
  2. Commit changes to enable the Exception. 

 

Antivirus Exceptions

For example, to add an antivirus exception for threat ID #253879 to an existing profile named "AV_exception_test_profile":
(Note: Be aware that if you exclude a Virus from bring checked against, this is all or nothing, you cannot exclude just an IP from this protection, it would be all that is allowed on that rule/antivirus policy).

  1. Go to GUI:Objects > Security Profiles > Antivirus.
  2. In the existing the profile, click on the Virus Exception tab.
  3. Enter the ID value (for this example, 253879 ) into the Threat Id field at the bottom of the page, and click Add and then OK.
    Note: The threat id can be determined from the threat logs.
  4. For this example, an exception for "Win32/Virus.Generic.koszy" is created.
     
2016-12-19_exceptions antivirus1.png
AntiVirus - Virus Exception window detail.
  1. Make sure that Antivirus profiles are applied to the appropriate security policies.
  2. There is no option to exclude just certain IP addresses with an AntiVirus Exception.
  3. Commit the changes.

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language