article Nominated Discussion: Verdict "malicious" and action "allow" in General Articles

article Nominated Discussion: Verdict "malicious" and action "allow" in General Articles https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-verdict-quot-malicious-quot-and-action-quot/ta-p/587384 <P><SPAN>This Nominated Discussion Article is based on the post "<A href="https://live.paloaltonetworks.com/t5/general-topics/verdict-quot-malicious-quot-and-action-quot-allow-quot/m-p/586478" target="_blank" rel="noopener"><STRONG>Verdict "malicious" and action "allow"</STRONG></A></SPAN><SPAN>" by <STRONG><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a></STRONG> and answered by <STRONG><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a></STRONG> and <STRONG><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a></STRONG>.</SPAN></P> <P> </P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>Hi team</P> <P>We are detecting some files with Verdict "malicious" and action "allow"</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alpalo_0-1715594709155.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59636i0DA278BD6AB061F9/image-size/medium/is-moderation-mode/true?v=v2&px=400" role="button" title="Alpalo_0-1715594709155.png" alt="Alpalo_0-1715594709155.png" /></span></P> <P>Can anybody help us for change the action or other solution?</P> </BLOCKQUOTE> <P> </P> <P>WildFire log?</P> <P> </P> <P>If you click on the magnifying glass, WildFire Analysis Report tab then what does "First Seen Timestamp" show?</P> <P>WildFire will pass through the malicious file on first instance it sees the file and when verdict comes back from the sandbox it will show if verdict was benign or not. So in those cases you need to analyze workstation to check if it got infected.</P> <P> </P> <P>Starting from 11.0.2 there is new feature "Hold Mode for WildFire Real-Time Signature Lookup"</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/wildfire-features/hold-mode-for-wildfire-realtime-signature-lookup" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/wildfire-features/hold-mode-for-wildfire-realtime-signature-lookup</A></P> <P> </P> <BLOCKQUOTE> <P>We have wildfire real-time configured and the action is reset-both but we are seeing that the first time the verdict is benign, one the signature is created the verdict changes to malicious but the result keeps being "allow", Is that correct? Is there any way to block this malicious files?</P> </BLOCKQUOTE> <P> </P> <P>This is expected. Please check into the feature <A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/wildfire-features/hold-mode-for-wildfire-realtime-signature-lookup" target="_blank" rel="noopener">Hold Mode for WildFire Real-Time Signature Lookup.</A></P> <P>With this feature you can prevent the initial transfer of known malware.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="WildFire Hold Mode" style="width: 599px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59898iBA7027A5DED58BEC/image-size/large?v=v2&px=999" role="button" title="wildfire-hold-mode.png" alt="WildFire Hold Mode" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">WildFire Hold Mode</span></span></P> <P> </P> <P> </P> </DIV> Tue, 21 May 2024 14:39:54 GMT kiwi 2024-05-21T14:39:54Z Nominated Discussion: Verdict "malicious" and action "allow" https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-verdict-quot-malicious-quot-and-action-quot/ta-p/587384 <P><SPAN>This Nominated Discussion Article is based on the post "<A href="https://live.paloaltonetworks.com/t5/general-topics/verdict-quot-malicious-quot-and-action-quot-allow-quot/m-p/586478" target="_blank" rel="noopener"><STRONG>Verdict "malicious" and action "allow"</STRONG></A></SPAN><SPAN>".</SPAN></P> Tue, 21 May 2024 14:39:54 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-verdict-quot-malicious-quot-and-action-quot/ta-p/587384 kiwi 2024-05-21T14:39:54Z