Palo Alto ignoring malware > 10MB

I just got a PA200 patched with PAN-OS 6.0.10 with latest Threat Prevention and WildFire, so I decided to put it up for the test. First, I grabbed stuxnet from https://tuts4you.com/download.php?view.3011, where I then extracted and uploaded it to a local webserver for testing. PAN-OS was quickly able to identify the malware protecting me from it.
palo1
Perfect. It works and I’m now finally safe from all dangers internet got to offer! 😀
Well.. we all know that ain’t true.

So, lets start by modifying the file by appending some dummy 00’s, see if changing the size and checksum will trick the firewall to accept my file or at least trigger the wildfire to upload it for sandboxing.
stuxnet
palo2

Same as before, I’m safe!!!
It was not uploaded to the wildfire database, which means my appended 00’s had no effect at all.
After digging around, i found this: The Palo Alto Networks device only compares the first 1024 bytes, instead of full checksum, of the files. It seems like the first 1024 bytes does not include the PE header, so tampering with meaningless data will not work. I probably need to modify the code itself to avoid any known checksums and by doing so, PAN-OS will upload the file for sandboxing.
See size limits for sandboxing here: https://live.paloaltonetworks.com/docs/DOC-7418

Oh well, I’m not going to spend this night with IDA and HxD, so I’ll just try to download the last file before I call it a day.

..
..

palo3
Seriously??

From what I can see, PAN-OS does not check the first 1024 bytes in files that is bigger than 10MB.
This was also tested with CryptoLocker and Zeus from https://www.grc.com/malware.htm. And yes, they still work.

Magic Number: 10486400 Bytes

2 Responses to “Palo Alto ignoring malware > 10MB”

  1. lazers says:

    This is common practice in anti-malware of this kind. Other vendors do exactly the same 🙂

    • Torstein says:

      Noticed that after some research as well. It was pretty shocking at first, but a IPS has never been something that will protect us against all attacks. Best practice would probably be to combine IPS with local Antivirus along with common sense, training employees and strict AD GPs.

Leave a Reply

Your email address will not be published. Required fields are marked *