https://live.paloaltonetworks.com/t5/general-topics/is-wildfire-mistaken-false-negative/m-p/21072#M15377 <HTML><HEAD></HEAD><BODY><P>I had a similar discussion with "my" Sales Engineer at PA that wildfire claimed "benign" for a malware (in my case a custom made one to test how well behavioural (spelling?) analysis works).</P><P></P><P>A major flaw with wildfire, in my opinion, is that wildfire will whitelist any signed (by known CA in the chain) applications. To me that is just bad looking at the stolen realtek certs and the others which have been used for the past year or two.</P><P></P><P>Perhaps this could be the reason in your case?</P><P></P><P>The other thing is what wildfire triggers on. It seems that it doesnt trigger on downloaders but rather the actual payload. Which I also finds a bit odd because if you trigger on the downloader (which often use at least one exploit) you would have a higher probability to keep your clients clean (or at least get a notify on how the actual malware got in). Otherwise you will (if lucky) only get a warning from Wildfire for the actual payload but the source of the infection will remain unknown (and can infect others when new payload is generated - on the other hand the downloader itself can of course also get new versions to avoid signaturebased detections).</P></BODY></HTML> Thu, 06 Dec 2012 08:24:11 GMT mikand 2012-12-06T08:24:11Z https://live.paloaltonetworks.com/t5/general-topics/is-wildfire-mistaken-false-negative/m-p/21071#M15376 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>i'm testing wildfire at the moment.</P><P>We had a security incident on a corporate notebook there were a lot of dropped "ZeroAccess.Gen Command and Control Traffic" in the thread-log.</P><P>We scanned the laptop with different virus/spyware scanners and found a file which i'm uploaded to wildfire and virustotal.</P><P></P><P>Wildfire says it's Benign.</P><P>Virustotal with 24/44 detect ratio says its a backdoor.</P><P><A href="https://www.virustotal.com/file/8bec8e81dd143cfecb4e4119d646c90205c0e6c734331ba2478aad861f0550fe/analysis/" title="https://www.virustotal.com/file/8bec8e81dd143cfecb4e4119d646c90205c0e6c734331ba2478aad861f0550fe/analysis/">Antivirus scan for a928ac4e1a34c4eb035b4ed6a8f7a6cb at 2012-11-27 21:16:41 UTC - VirusTotal</A></P><P></P><P>So who is wrong?</P><P></P><P>Sebastian</P></BODY></HTML> Thu, 06 Dec 2012 08:02:14 GMT https://live.paloaltonetworks.com/t5/general-topics/is-wildfire-mistaken-false-negative/m-p/21071#M15376 sebastian 2012-12-06T08:02:14Z https://live.paloaltonetworks.com/t5/general-topics/is-wildfire-mistaken-false-negative/m-p/21072#M15377 <HTML><HEAD></HEAD><BODY><P>I had a similar discussion with "my" Sales Engineer at PA that wildfire claimed "benign" for a malware (in my case a custom made one to test how well behavioural (spelling?) analysis works).</P><P></P><P>A major flaw with wildfire, in my opinion, is that wildfire will whitelist any signed (by known CA in the chain) applications. To me that is just bad looking at the stolen realtek certs and the others which have been used for the past year or two.</P><P></P><P>Perhaps this could be the reason in your case?</P><P></P><P>The other thing is what wildfire triggers on. It seems that it doesnt trigger on downloaders but rather the actual payload. Which I also finds a bit odd because if you trigger on the downloader (which often use at least one exploit) you would have a higher probability to keep your clients clean (or at least get a notify on how the actual malware got in). Otherwise you will (if lucky) only get a warning from Wildfire for the actual payload but the source of the infection will remain unknown (and can infect others when new payload is generated - on the other hand the downloader itself can of course also get new versions to avoid signaturebased detections).</P></BODY></HTML> Thu, 06 Dec 2012 08:24:11 GMT https://live.paloaltonetworks.com/t5/general-topics/is-wildfire-mistaken-false-negative/m-p/21072#M15377 mikand 2012-12-06T08:24:11Z https://live.paloaltonetworks.com/t5/general-topics/is-wildfire-mistaken-false-negative/m-p/21073#M15378 <HTML><HEAD></HEAD><BODY><P>Hi Sebastian,</P><P></P><P>We will take a look at this sample and get back to you. Stay tuned...</P><P></P><P>Alfred</P></BODY></HTML> Thu, 06 Dec 2012 15:23:59 GMT https://live.paloaltonetworks.com/t5/general-topics/is-wildfire-mistaken-false-negative/m-p/21073#M15378 fredallee 2012-12-06T15:23:59Z