6.1 Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'

Information

Configure antivirus profiles to a value of 'block' for all decoders except imap and pop3 under both Action and WildFire Action. Configure imap and pop3 decoders to 'alert' under both Action and WildFire Action.
Rationale:
Antivirus signatures produce low false positives. By blocking any detected malware through the specified decoders, the threat of malware propagation through the firewall is greatly reduced. It is recommended to mitigate malware found in pop3 and imap through a dedicated antivirus gateway. Due to the nature of the pop3 and imap protocols, the firewall is not able to block only a single email message containing malware. Instead, the entire session would be terminated, potentially affecting benign email messages.

Solution

Navigate to Objects > Security Profiles > Antivirus.
Set antivirus profiles to have all decoders except imap and pop3 set to block for both Action and Wildfire Action, and the imap and pop3 decoders set to alert for both Action and Wildfire Action.
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CSCv6|8.5, CSCv7|8

Plugin: Palo_Alto

Control ID: 7264351238e9fe4c05c48489d83b26050c03d3192b36daf61ad571d202584133