topic Re: WildFire not Blocking File with 'malicious' Verdict in Advanced Threat Prevention Discussions

WildFire not Blocking File with 'malicious' Verdict

GOMEZZZ — Tue, 06 Mar 2018 16:23:55 GMT

Hi,

I am playing in lab with wildfire and i would like to drop file downloads that are analyzed by wildfire as malicious verdict.

I have configured the follwong wildfire submission profile.

i created a wildfire profile (copy of the default)

admin@PA-220# show
wildfire {
rules {
default {
application any;
file-type any;
direction both;
analysis public-cloud;
}
}
}

I also create an antivirus profile to have an action of reset both for wildfire.

"Antivirus - WildFire" {
decoder {
http {
action reset-both;
wildfire-action reset-both;
}
smtp {
action default;
wildfire-action alert;
}
imap {
action default;
wildfire-action alert;
}
pop3 {
action default;
wildfire-action alert;
}
ftp {
action reset-both;
wildfire-action reset-both;
}
smb {
action default;
wildfire-action alert;
}
}
}

I have created a security policy with these secuirty profiles attached bot the malware test file from palo alto over http is still going through.

"OUTBOUND ACCESS POLICY" {
to UNTRUST;
from TRUST;
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
profile-setting {
profiles {
url-filtering home-filter;
virus "Antivirus - WildFire";
spyware strict;
vulnerability strict;
wildfire-analysis wildfire;
}
}
}

The verdict is malicous bot the action i allowed.

Can somebody tell me what is misconfigure on my end?

Kind regards,

Frederik.

Re: WildFire not Blocking File with 'malicious' Verdict

mivaldi — Tue, 06 Mar 2018 17:41:50 GMT

There are a couple things that are incorrect.

The first thing is, you are assuming that a Malicious verdict from WildFire on a file, means instantaneous Antivirus coverage. Once WildFire determines a sample is malicious, it sends it to PAN-AV, which generates a signature for the sample. This signature is then stacked, and is released every 5 minutes. You have to actually fetch the WildFire-Virus database to the firewall through Dynamic Updates for it to have the signature to detect files matching its pattern.

The second thing, is you are assuming WildFire would create an AV signature for the WildFire PE file, and that's not true. The WildFire PE file is only meant to test the WildFire forwarding (uploading sample to WildFire) and receiving back a report from WildFire, but it does not send the WildFire PE file to PAN-AV, so a signature is never generated for it.

Re: WildFire not Blocking File with 'malicious' Verdict

GOMEZZZ — Tue, 06 Mar 2018 18:20:01 GMT

Hi Mivaldi,

Tnx for the update and that explains a lot 🙂