Archive | PAN RSS for this section

New Traps v3.4: Protect Yourself From (Anti)virus


It is truly hard to be secured in these days – all those waves of countless phishing campaigns, increase of ransomware activity which day by day spreads like a plague and even worth – all those low profile hi-skilled APT..

In this conditions traditional signature-based AV solutions can not guarantee enough level of protection. You just need to keep in mind that signatures always late, from the beginning. It is obvious for us, technical guys, but may be it is not clear for business decision makers. The problem is that to make a signature you need a sample or threat. It means that somebody needs to be infected first, needs to be a so called “0-patien”. In modern world no one wants to be him because usually it involves reputation risks and data breach. Another issue what I saw many times – when company implements traditional AV they may low setting to avoid conflicts with business software. This reduce overall level of protection from low to ground. And even when security convinced use additional measurements (like EMET or intrusion prevention system) – implementation of this additional layer usually take more time and recourses. For technical department it is difficult to correctly implement such systems. As a result many customers does not full implementation of it or run it without prevention enabled. It means that they got level of protection which is not far from AV.


I saw many different samples which was pushed by email. More often bad guys are use OSINT and Social Engineering technics to evade protection and force victim employers to let them in. If you saw ”Please enable macro/content” you know what I mean. It is something caustic and irony to see how attackers use sample code, sometimes very primitive to run payload. But it works great and brings them nice monetization. This is the reson why they generate new samples so fast and in such big quantity. Those who keep an eye on this process can noticed – hey, this is industrial scales.

Thats why enterprise customers need new different approach to protect their endpoints. In nowadays endpoints are main vector of modern (targeted) attacks.

Fresh version of Palo Alto Traps 3.4 introduce new capabilities and bunch of improvements. Thats why enterprise can replace their AV by Traps:


In addition to strong and multi-layer exploit mitigation and malware prevention developers implement possibility of static analysis, which expand Traps arsenal against new unknown executables.

Along with protection enforcement new version got possibility to exclude enterprise applications by their publisher and digital signature, which no doubt is “must have” for large enterprise companies.

And as usually all this are deployed with interception of exploit technics. Memory Corruption Prevention was improved. There are also some changes implemented in Logic Flaw Prevention functionality which helps Traps better recognize and mitigate attempts to interrupt and change normal OS running.


As I mentioned it before in my first look at Traps – I really like how it operates and how it resist against samples which I collected. Especially how it was done with WildFire integration.

Let me explain it little bit more. When Traps detected attempt to execute new unknown code, depends on policies, he can block it until its behavior will be checked by WildFire. Even if company decided not enable such paranoid mod (which I like) WildFire will notify ESM later and if it was harmful next attempt to run these code again will be blocked by bad reputation. Meanwhile even if unknown code was run it goes through Policy Restriction first and after that it will be inspected with malware and exploit mitigation. It is powerful multilayer approach to keep system clean and untouched.

And guess what? It works without engine (scanning) it means minimal impact to system and application productivity. Because it is not AV.

I really like possibility prevent execution from %temp% & %appdata% – because almost each ransomware, or RAT or other threats use this paths to run its operation. Moreover with Traps I can prevent creating child process for list of potential-to-be-hacked application. Serious, why my MS Word must spawn some PowerShell or wscript or event cmd child process if all what I want to do is just create or read new document?

And main exploit & malware protection keep me safe even when I partially disable it for test. It means that even if new 0day allows attackers do not trigger ROP or Heap Spray mitigation, their operations will stopped by others (DLL injection, Shellcode etc).

Bellow you can find examples of my policies. They allow you better understood capabilities of Palo Alto Traps


WildFire settings – a bit paranoid but thats how it should be for those who operate with tons of phishing/SPAM everyday


Execution Restrictions – in 90% legit software does not use those paths, instead malware just literally love them


Child Processes restrictions – this is really handle when you must deal with VBA, java and PowerShell decoys


List of exploit protection modules – oh, did I mentioned that all them are enabled out of box?

If you want to know more about Traps and improvements of new version I suggest you read initial announce.

As quick as I will get new version I will write a more practical review of it.

Stay secure.


Palo Alto Traps vs новые семплы

Вчера (14/07/16) провел первый вебинар по решению Palo Alto Networks Traps.
В процессе были рассмотрены типичные техники работы актуальных образцов ransomware, RAT.
Для тестирования защиты помимо семплов использовал metasploit-framework, msfvenom и veil-evasion.

Примечательно, что практически сразу после вебинара получил новый образец. Сразу решил проверить на нем Traps.
Результат превзошел мои ожидания – даже с выключенным WilFire, отключенными запретами вирусных техник Traps продолжал сопротивляться и не давал семплу инжектировать себя в системные процессы:

macro2Первый запуск – вся защита активирована. Сработала блокировка дочерних процессов.

trapsВторой запуск – отключен запрет на дочерние процессы и на запуск из %tmp%, %appdata%. Сработал WildFire.

DLLТретий запуск – защита от вирусов и WildFire отключен(!). Сработал блок инжекта.

Что такое Palo Alto Traps и как он защищает:

Для тех. кому slideshare неудобен публикую презентацию отдельным файлом pdf (2,5 Мб)
Контент презентации рассчитан на сотрудников ИТ/ИБ подразделений.

Видеозапись вебинара с живой демонстрацией:

Будьте осторожны при использовании высоких технологий.