https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/63328#M38119 <P>In addition to what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a>&nbsp;said, you should have a look at WildFire Submissions log. By default it will only display malicious files that were uploaded to the cloud, from which we can conclude that those files have not been previously seen by the WF cloud, were not blocked and made it through to your network.</P><P>You can also turn on option Device &gt; Setup &gt; Wildfire &gt; Report benign files. With this option enabled Wildfire Submissions log wil also display Benign files which were uploaded to the cloud.</P> Wed, 19 Aug 2015 06:08:59 GMT mvidic 2015-08-19T06:08:59Z https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/27722#M20213 <HTML><HEAD></HEAD><BODY><P>I'm having trouble determining which malware has already been seen by WildFire (therefore it was not re-sent for analysis and blocked by the FW) vs. a file that our organization sent to WF and was determined to be malicious after analysis (not seen before by WF) . This would significantly help our organization respond to malicious files that may have made it to internal systems (mail servers, desktop, etc). Right now, I go into the analysis report and look at the first seen date... I know there's a better way. </P><P></P><P>Thanks!</P></BODY></HTML> Thu, 06 Aug 2015 15:45:09 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/27722#M20213 r_gine 2015-08-06T15:45:09Z https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/27723#M20214 <HTML><HEAD></HEAD><BODY><P>Hello r_gine,</P><P></P><P>If a file has already been seen by wildfire then it will show as wildfire skip in the log.</P><P></P><P>Ben</P></BODY></HTML> Fri, 07 Aug 2015 20:49:26 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/27723#M20214 bmorris1 2015-08-07T20:49:26Z https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/27724#M20215 <HTML><HEAD></HEAD><BODY><P>In Data Filtering log: </P><P>- action 'wildfire-upload-success' means file was first seen by your device, </P><P>- <SPAN style="font-size: 13.3333330154419px;">action 'wildfire-upload-skip' means file was already known to WF</SPAN></P><P></P><P>Yes, unfortunately you need to look in 2 log files to see if it was malicious and if you were first to see it.</P></BODY></HTML> Mon, 10 Aug 2015 11:20:50 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/27724#M20215 santonic 2015-08-10T11:20:50Z https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/63328#M38119 <P>In addition to what&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a>&nbsp;said, you should have a look at WildFire Submissions log. By default it will only display malicious files that were uploaded to the cloud, from which we can conclude that those files have not been previously seen by the WF cloud, were not blocked and made it through to your network.</P><P>You can also turn on option Device &gt; Setup &gt; Wildfire &gt; Report benign files. With this option enabled Wildfire Submissions log wil also display Benign files which were uploaded to the cloud.</P> Wed, 19 Aug 2015 06:08:59 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-differentiating-between-malware-already-seen-by-wildfire/m-p/63328#M38119 mvidic 2015-08-19T06:08:59Z