topic Re: Antivirus profile question, wildfire action? in General Topics

Antivirus profile question, wildfire action?

JoseMartinez — Tue, 06 May 2014 14:50:25 GMT

Hello,

Have a question about how to configure an antivirus profile. When try to define Decoders and actions can see a tab for "Wildfire Action" and that's where my confusion appear. what's the purpose of this tab? that implies that if I select block, all the files were be blocked? ? As far as I know wildfire is an "on the cloud" scanning system but in the documentation of panOS 6.0 I can see this:

it's possible that wildifre have an internal database to check the files without the need to send it to the cloud?

Thanks in advance.

Regards.

Re: Antivirus profile question, wildfire action?

HULK — Tue, 06 May 2014 15:12:20 GMT

Hello Sir,

You can define different actions for standard antivirus signatures (Action column) and signatures generated by the WildFire system (WildFire Action column). This is applicable if you have a valid Wildfire license on your PAN firewall. Some environments may have requirements for a longer soak time for antivirus signatures, so this option enables the ability to set different actions for the two antivirus signature types provided by Palo Alto Networks. For example, the standard antivirus signatures go through a longer soak period before being released (24 hours), versus WildFire signatures, which can be generated and released within 15 minutes after a threat is detected. Because of this, you may want to choose the alert action on WildFire signatures instead of blocking.

Hope this helps.

Thanks

Re: Antivirus profile question, wildfire action?

_slv_ — Wed, 07 May 2014 06:34:46 GMT

Hulk, could You tell us how to check in thread log is a WildFire signatures triggered for any kind of thread?

Regards

Slawek

Re: Antivirus profile question, wildfire action?

HULK — Wed, 07 May 2014 15:16:49 GMT

Wildfire logs will be available under Monitor > Logs > wildfire only. ( not under threat logs).

Thanks

Re: Antivirus profile question, wildfire action?

_slv_ — Thu, 08 May 2014 08:22:44 GMT

Hi Hulk

I'm a bit confused.

In Monitor>Logs I have "WildFire Submissions" log with just two entries from april. I hope thats because my users are not downloading a lot of malwares from internet.

One of them has details:

In my opinion this is log which collecting data about files that are not known by WildFire cloud and passed my device.

I'm looking for files that was blocked by my device o based on wildfire updates (which I gets every 15 minuts)

Regards

Slawek

Re: Antivirus profile question, wildfire action?

jhughson1 — Thu, 31 Jul 2014 18:18:46 GMT

We are also looking for something that shows traffic being blocked because of a WildFire update. Has anyone found a way to get this type of report? Trying to find a way to justify the purchase to management.

Re: Antivirus profile question, wildfire action?

emr_1 — Fri, 01 Aug 2014 04:13:27 GMT

From my understanding, there is no way to figure out that traffic was blocked by antivirus signature or wildfire signature from threat log (especially "type" field. this will be 'virus' in both case).

Though I think you can figure out by looking at threat ID.

Please refer to following KB: Threat ID Ranges in the Palo Alto Networks Content Database

For example, if you hit any virus with TID is between 2000000 - 3000000, then this might be hit to antivirus signature. But if it is between 3000000 - 3100000, then this might be wildfire signature.

Isn't it?