A coworker found a USB labeled "confidential in the parking lot. They inserted the drive and it infected their corporate laptop with unknown malware The malware caused the laptop to begin infiltrating corporate data.
Which Security Profile feature could have been used to detect the malware on the laptop?
To detect malware on a laptop, the Antivirus security profile feature is most appropriate. Antivirus profiles are specifically designed to scan for and detect viruses, worms, trojans, and other types of malware in files, including those introduced via USB drives. This feature uses a stream-based malware prevention engine, which inspects traffic immediately upon receipt, providing protection without significantly affecting system performance. Other options like DNS Sinkhole or WildFire Analysis might help in identifying malicious activities or analyzing unknown malware, respectively, but for direct detection of malware on the laptop, Antivirus is the best choice.
The key word in the question = Detect Antivirus security profiles protect against viruses, worms, and trojans as well as spyware downloads. Answer A will indeed deal with the spyware when it kicks in and tries to do its stuff - but its Antivirus that detects it.
It only detects it while the traffic content in transit on the FW is being inspected. In addition, you can enable the DNS Sinkholing action in Anti-Spyware profiles to enable the firewall to forge a response to a DNS query for a known malicious domain, causing the malicious domain name to resolve to an IP address that you define. This feature helps to identify infected hosts on the protected network using DNS traffic. Infected hosts can then be easily identified in the traffic and threat logs because any host that attempts to connect to the sinkhole IP address is most likely infected with malware. Anti-Spyware and Vulnerability Protection profiles are configured similarly.
Security profile "feature" and not security profile. So it is DNS Sinkhole which is a "feature" of anti-spywear profile.
Yeah its a poorly worded question cause Palo Alto describes their security profiles as "Security Profile Features". Like stated here. "Additionally, Palo Alto Networks also comes with security profile features, such as antivirus, anti-spyware, VPN, URL Filtering and WildFire features, that are useful in averting both known and unknown threats.”
https://www.paloaltonetworks.com/customers/bank-ocbc-nisp The link to the source of the quote.
However, now that I am reading that article more in depth, it looks like it may be from the POV of the PA customer and not PA themselves. So I would delete my previous comment if I could LOL.
A DNS sinkhole can be set up to prevent C2 communications, but will not detect a virus
Because it says "detect malware ON the laptop" I will have to vote C. As DNS sinkhole wouldn't be actually ON the laptop and would have to be detected on the firewall or sinkhole log. It's a poorly worded question IMO.
Answer is C , Antivirus profiles protect against viruses, worms, and trojans as well as spyware downloads. Using a stream-based malware prevention engine, which inspects traffic the moment the first packet is received, the Palo Alto Networks antivirus solution can provide protection for clients without significantly impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and JavaScript viruses
I would say that the right answer would be B, Wildfire Analysis. The laptop was infected with UNKNOWN malware, there are no AV signatures that could detect it, there is no KNOWN malicious domain for a DNS Sinkhole, and DoS protection does not apply here. So the only possible way to detect a Zero-day or UNKNOWN malware would be a Wildfire Analysis.
The PA AV isnt running on the endpoint. Malware is delivered via USB. S, now only DNS sinkhole can get info about infected endpoints. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-sinkholing.
Because of word "Feature" https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-profiles
DNS Sinkhole is for "Malicious Domain" detection. But Antivius is for malvare detection And the question is about "Malware Detection" ..."In addition, you can enable the DNS Sinkholing action in Anti-Spyware profiles to enable the firewall to forge a response to a DNS query for a known malicious domain, causing the malicious domain name to resolve to an IP address that you define..." (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-profiles)
C: The question says: detect malware.
With C: Antivirus It only detects it while the traffic content is in transit on the FW is being inspected. File has been transferred already via USB, hence bypassing the AV on the FW>.
i think its A
"Unknown malware" has NO signature yet...therefore needs Wildfire to detect and analyze the unknown threat...you can use DNS sinkhole to detect the infected hosts when they are attempting outbound connections to known malicious sites...best answer is use both...this question needs improvement on the wording!
Seems to be C. The question talking about "security profile feature". That's more logic to talk about of the "feature" in the "global" aspect knowing that the sinkhole is an option of the anti-spyware security profile feature. In this case if the correct answer is A, the answer should be "anti-spyware" instead of sinkhole. Maybe i'm wrong. Curious to know your thoughts about it.
I would say that he key word in the question = Detect on the laptop for detections on the user endpoint is the antivirus for detections on outgoing traffic is the DNS SinkHole
Sorry I might be wrong in my last comment. The PA AV isn't running on the endpoint. Malware is delivered via USB. S, now only DNS sinkhole can get info about infected endpoints.https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/use-dns-queries-toidentify-infected-hosts-on-the-network/dns-sinkholing.
the correct answer is C. not A - DNS sinkholing helps you to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client's