https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-domain-palo-alto-malware-domain-do-not-agree/m-p/48292#M35539 <HTML><HEAD></HEAD><BODY><P>Has anyone who has been using Wildfire encountered a case where a piece of Malware identified via the WF assessment has had the following in the summary:</P><P></P><P>"<SPAN style="font-family: 'Calibri','sans-serif'; font-size: 11pt; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-bidi-theme-font: minor-bidi; mso-ansi-language: EN-GB; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">Malware came from a malware domain</SPAN>"</P><P></P><P>where the applicable URL category returned by Palo (Brightcloud online URL lookup) does not recognise it as a malware hosting domain?</P><P></P><P>I assume that the different services use different backend databases - but it's a bit annoying that there is a 'signature' (URL) available that would have prevented the download in 'one hand' that isn't being made available to the other hand!</P></BODY></HTML> Mon, 16 Jul 2012 13:21:30 GMT apackard 2012-07-16T13:21:30Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-domain-palo-alto-malware-domain-do-not-agree/m-p/48292#M35539 <HTML><HEAD></HEAD><BODY><P>Has anyone who has been using Wildfire encountered a case where a piece of Malware identified via the WF assessment has had the following in the summary:</P><P></P><P>"<SPAN style="font-family: 'Calibri','sans-serif'; font-size: 11pt; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-bidi-theme-font: minor-bidi; mso-ansi-language: EN-GB; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">Malware came from a malware domain</SPAN>"</P><P></P><P>where the applicable URL category returned by Palo (Brightcloud online URL lookup) does not recognise it as a malware hosting domain?</P><P></P><P>I assume that the different services use different backend databases - but it's a bit annoying that there is a 'signature' (URL) available that would have prevented the download in 'one hand' that isn't being made available to the other hand!</P></BODY></HTML> Mon, 16 Jul 2012 13:21:30 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-domain-palo-alto-malware-domain-do-not-agree/m-p/48292#M35539 apackard 2012-07-16T13:21:30Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-domain-palo-alto-malware-domain-do-not-agree/m-p/48293#M35540 <HTML><HEAD></HEAD><BODY><P>Just guessing here but since PA is working on their own url category db to replace Brightcloud (I think this year already) then the db used in wildfire is the new PA db where the PA devices mostly use Brightcloud db today (I guess the new db is to be released for PANOS 5.0)?</P><P></P><P>Another idea might be how the resolution is performed - will Brightcloud check the full url and not just the domain part (Im thinking in case wildfire checks the full url like one folder on a webserver can be classified as malware while another folder is classified as something else)?</P><P></P><P>But yeah I agree, would be nice if any bad urls known by wildfire could be pushed out to the regular url-db so customers who doesnt run wildfire can take advantage of this (for example if you block access to url category "malware") but also so the bad malware isnt downloaded by the client at all (because stuff that hits wildfire has been downloaded by the clients).</P></BODY></HTML> Mon, 16 Jul 2012 18:30:45 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-malware-domain-palo-alto-malware-domain-do-not-agree/m-p/48293#M35540 mikand 2012-07-16T18:30:45Z