Palo Alto Networks Knowledgebase: How to verify the direction of spyware signatures for downloaders

How to verify the direction of spyware signatures for downloaders

Created On 09/27/18 07:05 AM - Last Updated 09/27/18 15:23 PM
Categories:  Threat Intelligence,  Threat Prevention



This document describes how to verify the trigger direction of spyware signatures for downloaders that appear in the threat log.



The signatures in the table below detect malicous downloaders attached to emails. The signatures work for both SMTP and POP3, in other words, they can detect both cases; a). when the attacker sends the file inbound over SMTP and b). when the victim downloads the file from the mailserver over POP3.


IDThreat NameDirection
13129JSDownloader.Gen Javascript Detectionserver-to-client
13606Nemucod.JSDownloader.Gen Javascript Detectionserver-to-client
13996JS.DownLoader.2332 Javascript Detectionserver-to-client
14119JSDownloader.Gen javascript Detectionserver-to-client
14283Locky.JSDownloader.Gen Javascript Detectionclient-to-server
14337LF.JSDownloader.Gen Javascript Detectionserver-to-client
14542KV.JSDownloader.Gen Javascript Detectionserver-to-client
14567Nemucod.JSDownloader.Gen Javascript Detectionserver-to-client
14613Locky.JSDownloader.Gen Javascript Detectionserver-to-client
14616Swabfex.JSDownloader.Gen Javascript Detectionserver-to-client
14680Dridex.JSDownloader.Gen Javascript Detectionserver-to-client
14700Locky.LNKDownloader.Gen Script Detectionserver-to-client
14834Locky.JSDownloader.Gen Javascript Detectionserver-to-client
14847Cerber.JSDownloader.Gen Javascript Detectionserver-to-client


The "direction" of the signatures is set as server-to-client except for ID: 14283(this is just for logging purposes in the threat log, they will still trigger in either direction). We have updated the "direction" of ID: 14283 to client-to-server in order to cover most common scenario.



Example : POP3 server / SMTP server : Mail client (User)

Threat ID : 14283


Malicious email is sent over the firewall from the client to the SMTP server, then the email is received from the POP3 server to the client.


Here's the part of the threat log exported as a csv file from the firewall.

User-added image


In case of POP3, since the direction is client-to-server, it looks as if the attack was performed by the user against the server from to


In the same manner, if the direction of the signature is server-to-client and in case of SMTP, the threat log appears in opposite direction.


This is a limitation of the way direction for writing the threat logs is designed for threat signatures and this is an expected result.



owner: ymiyashita


  • Print
  • Copy Link

Change Language: