https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17697#M12891 <HTML><HEAD></HEAD><BODY><P>Yes - I've checked the portal and it is VERY malicious (turning off IE phishing protection, disabling the firewall etc)!</P><P></P><P>While I understand that some malware is polymorphic and will change it's binary fingerprint, the fact that this was a <EM>skipped</EM> upload means that it must have been seen before in it's current "guise" and I can only assume that it would have looked just as malicious previously (I can;t see why not).&nbsp; </P><P></P><P>As we haven't had a upload for 4 days (and the most likely EXE upload was at least 12 days ago) that seems to suggest that no AV signature has been released in the previous 2 weeks that should have triggered on the re-download (or the signature released failed to match it properly?).</P><P></P><P>Rgds</P></BODY></HTML> Mon, 18 Feb 2013 17:56:32 GMT apackard 2013-02-18T17:56:32Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17695#M12889 <HTML><HEAD></HEAD><BODY><P>Using the 'free' Wildfire service, does anyone know how long should I expect the delay to be before downloads marked as malware are blocked subsequently?</P><P></P><P>For example, today we had a download ("pdf_delta_ticket.scr" below) that was logged as <STRONG>upload-skip</STRONG> which to my knowledge means that it has been seen before by this device.&nbsp; As the last previous <STRONG>upload-success</STRONG> was ~6 days previously (and as it was a DLL it almost certainly wasn't the original download) this seems to suggest that the time taken is more than a few days (we download and install AV updates daily).</P><P></P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/5667_pastedImage_1.png" style="width: 1200px; height: 256px;" /></P><P></P><P>Rgds</P></BODY></HTML> Mon, 18 Feb 2013 17:24:31 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17695#M12889 apackard 2013-02-18T17:24:31Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17696#M12890 <HTML><HEAD></HEAD><BODY><P>Whenever a new file is sent to wildfire it is analyzed for various malicious behaviors. You can login to your wildfire portal to check the status of your files i.e only if it is found to be malicious an av signature is created and released. So have you had a chance to look at your wildfire portal @ <A href="https://wildfire.paloaltonetworks.com/Wildfire" style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #316989; background-color: #ffffff;" title="https://wildfire.paloaltonetworks.com/Wildfire">https://wildfire.paloaltonetworks.com/Wildfire</A> .</P><P>Also refer the following documents:-</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3555">WildFire Decision Flow</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3252">How to Configure Wildfire</A></P><P></P><P>Thanks,</P><P>Subijith Raghunandan.</P></BODY></HTML> Mon, 18 Feb 2013 17:44:02 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17696#M12890 sraghunandan 2013-02-18T17:44:02Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17697#M12891 <HTML><HEAD></HEAD><BODY><P>Yes - I've checked the portal and it is VERY malicious (turning off IE phishing protection, disabling the firewall etc)!</P><P></P><P>While I understand that some malware is polymorphic and will change it's binary fingerprint, the fact that this was a <EM>skipped</EM> upload means that it must have been seen before in it's current "guise" and I can only assume that it would have looked just as malicious previously (I can;t see why not).&nbsp; </P><P></P><P>As we haven't had a upload for 4 days (and the most likely EXE upload was at least 12 days ago) that seems to suggest that no AV signature has been released in the previous 2 weeks that should have triggered on the re-download (or the signature released failed to match it properly?).</P><P></P><P>Rgds</P></BODY></HTML> Mon, 18 Feb 2013 17:56:32 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17697#M12891 apackard 2013-02-18T17:56:32Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17698#M12892 <HTML><HEAD></HEAD><BODY><P>However - having checked the flowchart in the referenced documents (thanks) I note that the hash check is actually performed in the Palo cloud, not on the PA device - so I guess this means that it is not dependent on the previous upload from our network.</P><P></P><P>Rgds</P></BODY></HTML> Mon, 18 Feb 2013 18:09:46 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-time-required-to-block-known-malware/m-p/17698#M12892 apackard 2013-02-18T18:09:46Z