https://live.paloaltonetworks.com/t5/general-topics/wildfire-flow/m-p/2614#M1948 <HTML><HEAD></HEAD><BODY><P>Are uploaded files stored somewhere within this "cloud" to be re-evaluated on a schedule?</P><P></P><P>Im thinking when PA is changing what will trigger a file to be considered malware or not (like the case I found a few months ago where wildfire verdict was benign but the file was truly a very bad file) - then this "the hash matches a clean file" might not be true...</P><P></P><P>Also is there a setting regarding this within WF-500, for example making a verdict for a specific hash only valid for 24 hours or so - if the file is seen again later on then the file will be re-evaluated?</P></BODY></HTML> Sun, 22 Sep 2013 10:47:37 GMT mikand 2013-09-22T10:47:37Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-flow/m-p/2612#M1946 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For the desicion flow of wildfire, where is the hash update and wildfire database update ? can someone tell the real place of both in that chart.</P><P>Document's very clear but it is written before subscription service was released.</P><P></P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3555">WildFire Decision Flow</A></P></BODY></HTML> Sat, 21 Sep 2013 12:53:00 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-flow/m-p/2612#M1946 Retired Member 2013-09-21T12:53:00Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-flow/m-p/2613#M1947 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">When users download .exe or .dll files, PA computes the hash of the file and send only computed hash to the wildfire cloud. Then in the cloud, this hash is compared with the hash base which is maintained by palaltonetworks. If the hash matches, then the verdict is known and file is not uploaded to the cloud, if hash do not match then the file is uploaded and inspected and you can see the file on the portal. Also if the hash on the PA doesnt match with the hash database in the cloud, it creates a new virus id for the file. </SPAN></P><P></P><P>Thanks,</P><P></P><P>Syed R Hasnain</P></BODY></HTML> Sat, 21 Sep 2013 16:06:23 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-flow/m-p/2613#M1947 shasnain 2013-09-21T16:06:23Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-flow/m-p/2614#M1948 <HTML><HEAD></HEAD><BODY><P>Are uploaded files stored somewhere within this "cloud" to be re-evaluated on a schedule?</P><P></P><P>Im thinking when PA is changing what will trigger a file to be considered malware or not (like the case I found a few months ago where wildfire verdict was benign but the file was truly a very bad file) - then this "the hash matches a clean file" might not be true...</P><P></P><P>Also is there a setting regarding this within WF-500, for example making a verdict for a specific hash only valid for 24 hours or so - if the file is seen again later on then the file will be re-evaluated?</P></BODY></HTML> Sun, 22 Sep 2013 10:47:37 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-flow/m-p/2614#M1948 mikand 2013-09-22T10:47:37Z