https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41981#M30861 <HTML><HEAD></HEAD><BODY><P>Last thursday one of our firewalls had 26 wildfire submissions that were determined to be malware - all coming in thru email.&nbsp;&nbsp; That is probably a record, some days it is just a few.&nbsp; Note these were all PE files.&nbsp;&nbsp; Seeing as nobody should really be getting executables thru email I decided to block them which means less work for me.&nbsp; However, I also would still like to send them off to wildfire if possible so if they are bad it will help out all the other palo users,&nbsp; I just posted a question on how to do that if possible in these forums.</P><P></P><P>It is really interesting to go to the virus total link and see how many of the top av products have detected what wildfire finds - it seems most of the av products take a few days to detect something after wildfire has detected it for me.&nbsp; Not to mention I might then see 3 or 4 variants with the same file name but different md5.</P><P></P><P>It will be interesting once I add office docs and pdf files into the mix - just testing them now.&nbsp; I would be curious how many people using wildfire detect malware infected office and pdf docs.</P></BODY></HTML> Mon, 28 Apr 2014 14:38:38 GMT mikeberk 2014-04-28T14:38:38Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41979#M30859 <HTML><HEAD></HEAD><BODY><P>I enabled WildFire a month or so back.</P><P></P><P>I know it works as I download files regularly from the PAN "random wildfire test file" site and sure enough a little while later an alert pings in and it shows in the dashboard.</P><P></P><P>In production it seems that <STRONG><EM>everything</EM></STRONG> that my users download is either from trusted sources or has checksummed as clean - in theory this is a good thing and we are a corporate so I wouldn't expect people to be downloading "<EM>bad stuff</EM>", but I guess I almost expected to see a little more stuff being downloaded that would be sent to WildFire.</P><P></P><P>I wondered how everyone else finds the service and if there are any recommended ways to test it other than the Palo Alto test site?</P></BODY></HTML> Sun, 27 Apr 2014 13:03:03 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41979#M30859 networkadmin 2014-04-27T13:03:03Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41980#M30860 <HTML><HEAD></HEAD><BODY><P>I think you can trust that if the files all match the checksum they have been verified.</P><P></P><P>As a test you could create a brand new file and post this to a g-drive or dropbox then download it via your configured policies.&nbsp; Since you created the file yourself from scratch it would not be in any of the wildfire previous scans.</P></BODY></HTML> Sun, 27 Apr 2014 18:01:26 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41980#M30860 pulukas 2014-04-27T18:01:26Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41981#M30861 <HTML><HEAD></HEAD><BODY><P>Last thursday one of our firewalls had 26 wildfire submissions that were determined to be malware - all coming in thru email.&nbsp;&nbsp; That is probably a record, some days it is just a few.&nbsp; Note these were all PE files.&nbsp;&nbsp; Seeing as nobody should really be getting executables thru email I decided to block them which means less work for me.&nbsp; However, I also would still like to send them off to wildfire if possible so if they are bad it will help out all the other palo users,&nbsp; I just posted a question on how to do that if possible in these forums.</P><P></P><P>It is really interesting to go to the virus total link and see how many of the top av products have detected what wildfire finds - it seems most of the av products take a few days to detect something after wildfire has detected it for me.&nbsp; Not to mention I might then see 3 or 4 variants with the same file name but different md5.</P><P></P><P>It will be interesting once I add office docs and pdf files into the mix - just testing them now.&nbsp; I would be curious how many people using wildfire detect malware infected office and pdf docs.</P></BODY></HTML> Mon, 28 Apr 2014 14:38:38 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41981#M30861 mikeberk 2014-04-28T14:38:38Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41982#M30862 <HTML><HEAD></HEAD><BODY><P>That makes sense in our case Mike - we don't use wildfire on inbound email <STRONG><EM>but</EM></STRONG> we quarantine anything executable at the gateway.</P><P></P><P>I may try enabling wildfire on our inbound SMTP rule as that should catch some nasties.. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Mon, 28 Apr 2014 14:43:42 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-what-sort-of-hit-rate-do-you-see/m-p/41982#M30862 networkadmin 2014-04-28T14:43:42Z