How to create a custom spyware signature for a plaintext ASCII file

2272

Created On 06/27/23 08:11 AM - Last Modified 04/04/24 16:35 PM

Anti-spyware

Custom Signatures

Threat Prevention

8.1

9.0

9.1

10.0

10.2

10.1

11.0

Strata

Objective

To configure a custom spyware signature to match data within a plaintext ASCII file.

Create a Spyware Custom Object
Fill in the required fields based on the use-case
For the Context, choose "file-html-body"
Preferably use a hex pattern such as "\x6d65727303636f6d\x" for least performance impact
Make sure the desired Action is selected for the custom object in the Anti-Spyware Profile under "Signature Exceptions"
Make sure the Anti-Spyware Profile is used in the matching Security Policy
Commit the changes

Note you cannot use the "file-data" context for plaintext ASCII files, as they do not match one of the file types required for "file-data":
https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/file-data

Note you cannot use the "file-unknown-body" context for plaintext ASCII files, as the "file-unknown-body" context is only for unknown type of file.
If the first 8 bytes of the testing file are all readable ascii characters, then internal logic will mark it as html file type.

For more details on creating custom signatures, please refer to our Tech Note:
Creating Custom Signatures Tech Note

For more details on measure performance impact of a Custom Signature, please refer to our Technical Documentation:
https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/testing-pattern-performance-impact