Palo Alto Networks Knowledgebase: How to Determine Risk Level of Application, Spyware, and Anti-Virus

How to Determine Risk Level of Application, Spyware, and Anti-Virus

(494 Views)
Created On 09/26/18 13:44 PM - Last Updated 09/26/18 14:00 PM
Categories:  Threat Intelligence,  Threat Prevention

Issue:


Solution:


Shown below is the matrix used to determine the risk level of threats, spyware, and anti-virus.

 

Technology

TechnologyDescription
network-protocolAn application that is generally used for system to system communication that facilitates network operation.  This includes most of the IP protocols.
client-serverAn application that uses a client-server model where one or more clients communicate with a server in the network.
peer-to-peerAn application that communicates directly with other clients to transfer information instead of relying on a central server to facilitate the communication.
browser-basedAn application that relies on a web browser to function.

 

Characteristics

CharacteristicDescription
Capable of File TransferLikely has more than 1,000,000 users.  Has the capability to transfer a file from one system to another over a network.  A streaming app that has no other mechanism to transfer files other than the video or audio streaming should not be flagged as able to transfer files.
Used by MalwareMalware has been known to use the app for propagation, attack, or data theft, or is distributed with malware.
Excessive Bandwidth UseConsumes at least 1 Mbps on a regular basis through normal use.
EvasiveUses a port or protocol for something other than its originally intended purpose with the hope that it will traverse a firewall.
PervasiveLikely has more than 1,000,000 users.
Known VulnerabilitiesHas publicly reported vulnerability.  For web-based apps, it should also be set to yes, as HTTP always has vulnerability.
Prone to MisuseOften used for nefarious purposes or is easily setup to  expose more than the user intended.
Tunnels Other AppsIs able to transport other applications inside its protocol.
File-type identShould be set if app can upload or download a file-type over a decodable protocol (e.g. http).
Spyware-identShould be set if the app can upload or download an executable file over a decodable protocol.
Virus-identSame as spyware ident.
Vulnerability-identFor web-based apps, the vulnerability-ident should always be yes, since they are http and http always has some vulnerabilities.
deny-actionFor web-based apps,deny-action should be set to drop-reset (unless there is some issues with the app receiving tcp-reset).

 

Risk Calculation

Weights

CharacteristicFactor
Evasive3
Excessive Bandwidth Use1
Used by Malware4
Capable of File Transfer3
Known Vulnerabilities3
Tunnels Other Apps2
Prone to Misuse2
Pervasive1
Total19

 

Risk Assignment

RiskRange
10–3
24–6
37–9
410–13
514+

 

owner: jnguyen

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmQCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: