topic Re: What's the difference between antivirus signatures and WildFire signatures in Advanced Threat Prevention Discussions

What's the difference between antivirus signatures and WildFire signatures

r9i0a0d — Mon, 18 Mar 2024 00:13:51 GMT

Hi,

I'm trying to understand the difference between the antivirus signatures and WildFire signatures. To my understanding, antivirus signatures identify known malicious files based on the signatures in the antivirus database.

1- But what signatures does the WildFire database contain? are they signatures to identify supported file types that can be forwarded to the cloud or the private appliance? or are they signatures of newly identified malicious files that will eventually make it to the antivirus database?

2- and if they are signatures of newly identified malicious files, then why aren't they included in antivirus signatures database instead?

3- and why is the WildFire database file size relatively large, approximately 10% of the antivirus database file size?

Thanks,
Riad.

Re: What's the difference between antivirus signatures and WildFire signatures

reaper — Mon, 18 Mar 2024 09:23:05 GMT

1. wildfire offers faster identification of malicious files. many of the wildfire signatures will make it into the AV database, but those are released once or twice daily usually

2. because AV is not updates (once or twice daily) as frequently as wildfire (live)

3. because wildfire is also cloud connected and provides coverage for 0days whereas AV has a large database of currently active threats in the wild

the big difference between wildfire and AV is that WF protects against 0day and AV protects against all known active threats

Re: What's the difference between antivirus signatures and WildFire signatures

r9i0a0d — Tue, 19 Mar 2024 03:43:53 GMT

Thanks for your reply Tom.

Would it be fair to say that Antivirus signatures work against HTTP, HTTP2, FTP, SMB, and email protocols (POP3, IMAP, SMTP), where WildFire signatures work over a much larger set of App-IDs, which is why WildFire databases are relatively large?

Thanks,
Riad.

Re: What's the difference between antivirus signatures and WildFire signatures

reaper — Tue, 19 Mar 2024 09:14:08 GMT

sort of 😉

WildFire content packages are about 8MB whereas AV packages are 101MB, but WildFire relies heavily on cloud connectivity:

AV uses signatures (markers in the payload) to identify threats directly in a flow whereas WildFire relies mostly on file hashes to see if a file was already processed by the online sandbox. If the verdict is already known (file already seen and inspected), the file can be let through or blocked based on the verdict. if the file has not been seen before wildfire will spring into action with some inline ML scanning of the file and uploading it to the sandbox for deeper analysis