topic Re: How to allowlist a file form wildfire-virus in General Topics

How to allowlist a file form wildfire-virus

Verac22 — Thu, 11 Sep 2025 19:30:23 GMT

We have a file (Filex.exe) that is throwing blocks of the following type

Threat Type

wildfire-virus

Threat ID/Name

trojan/Win32 EXE.crypt.aexg

ID	213019932 (View in Threat Vault)

How do I add this exclude this file from alerting? I went into Object > Security Objects > Antivirus > the profile > Wildfire Inline ML, and I added the file name and partial hash (not sure I fully understand partial hash. I used the first 31 characters of the sha256). We are still getting alerts for this file though.

Any ideas?

Re: How to allowlist a file form wildfire-virus

kiwi — Fri, 12 Sep 2025 08:18:13 GMT

Hi @Verac22 ,

It looks like the threat type is identified as "wildfire-virus" and not as "ml-virus".

There's a nuance in both of these threat types as far as I know:

The wildfire-virus threat type comes from a verdict issued by the WildFire cloud analysis. This is a definitive, file-based verdict.
The ml-virus threat type comes from the inline machine learning engine on the firewall

The exception you created on the WildFire Inline ML page only applies to detections made by the inline engine (ml-virus threats). Since the file was categorized as a wildfire-virus by the cloud, the local exception was bypassed.

Here's the KB talking about it:
How to set a File exception or disable WildFire Inline ML model (ml-virus threat types)

Kind regards,

-Kim.

Re: How to allowlist a file form wildfire-virus

Verac22 — Thu, 18 Sep 2025 15:32:07 GMT

@kiwi I think that makes sense. How then do you create an exclusion for the "wildfire-virus" type detections?

Re: How to allowlist a file form wildfire-virus

ymiyashita — Fri, 19 Sep 2025 00:23:56 GMT

If you are sure that the file is not malicious, then you can set the exception in the "Signature Exceptions" tab using the Threat ID "213019932".

References:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC

https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/create-threat-exceptions#id566b52a9-d584-47f1-9c1d-f33814fe3c48

Re: How to allowlist a file form wildfire-virus

Verac22 — Thu, 25 Sep 2025 20:02:30 GMT

So that allows us to exclude the entire signature. But is there no way to only exclude the particular file by hash or name?

Re: How to allowlist a file form wildfire-virus

BPry — Thu, 25 Sep 2025 20:51:41 GMT

@Verac22,

The way to handle this really is by reporting the incorrect verdict so that it is corrected and no longer triggers. There's not a way to exclude just that one single hash unless it's an inline detection; the closets you can get to that is creating a specific profile with the threat signature excluded and associating it with a dedicated rule where that file would be matching. Obviously that doesn't mean it will only ever match that one file, but you've created the smallest possible exception as what you can currently with PAN-OS.