topic Re: Wildfire Verdict benign / Action block in General Topics

Wildfire Verdict benign / Action block

Keny_Schmeling — Tue, 02 Oct 2018 22:34:34 GMT

I'd like to understand how Wildfire works. I have this example where Verdict is benign and action is block. Why?

Re: Wildfire Verdict benign / Action block

Keny_Schmeling — Tue, 02 Oct 2018 22:42:06 GMT

Filtering by Session ID I have this logs:

Re: Wildfire Verdict benign / Action block

BPry — Wed, 03 Oct 2018 15:06:45 GMT

@Keny_Schmeling,

What likely happended was the firewall identified the traffic via a signature or local analysis and determined that it was malicious; when it was sent to the wildfire cloud and actually ran in the sandbox environment it was discovered to be benign. Therefore the verdict would report benign, because it is, but the firewall would have blocked the traffic before the file was sent off to be analyzed.

Now if the hash of the file is seen by your firewall again, it will allow the file as the hash is known to be benign. Likewise, if I attempted to download the same file on my firewall it would also be allowed, because you've already analyzed the file and the hash is known to be benign.

Re: Wildfire Verdict benign / Action block

rnorouzi — Wed, 24 Sep 2025 17:20:53 GMT

Please note the solution provided on this post can cause some confusion as it does not provide a complete picture on how threat prevention works in regards to WF and AV. With that said, Even if the file’s hash is marked as benign by WildFire, if the file still matches an active Antivirus signature, it will continue to be blocked whenever it traverses the firewall.
In other words, the file's known hash being benign does not override the Antivirus engine. As long as the signature is active and matches the file pattern, the firewall will block it, regardless of the WildFire verdict.