topic Verdict "malicious" and action "allow" in General Topics

Verdict "malicious" and action "allow"

Alpalo — Mon, 13 May 2024 10:06:14 GMT

Hi team

We are detecting some files with Verdict "malicious" and action "allow"

Can anybody help us for change the action or other solution?

Regards

Re: Verdict "malicious" and action "allow"

Raido_Rattameister — Mon, 13 May 2024 12:51:54 GMT

WildFire log?

If you click on the magnifying glass, WildFire Analysis Report tab then what does "First Seen Timestamp" show?

WildFire will pass through the malicious file on first instance it sees the file and when verdict comes back from the sandbox it will show if verdict was benign or not. So in those cases you need to analyze workstation to check if it got infected.

Starting from 11.0.2 there is new feature "Hold Mode for WildFire Real-Time Signature Lookup"

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/wildfire-features/hold-mode-for-wildfire-realtime-signature-lookup

Re: Verdict "malicious" and action "allow"

JuanMAbellan — Tue, 21 May 2024 07:41:57 GMT

We have wildfire real-time configured and the action is reset-both but we are seeing that the first time the veredict is benign, one the signature is created the veredict changes to malicious but the result keeps being "allow", Is that correct? Is there any way to block this malicious files?

Re: Verdict "malicious" and action "allow"

kiwi — Tue, 21 May 2024 11:27:32 GMT

Hi @JuanMAbellan ,

This is expected. Please check into the feature Hold Mode for WildFire Real-Time Signature Lookup as mentioned by @Raido_Rattameister .

With this feature you can prevent the initial transfer of known malware.

Kind regards,

-Kim.