topic Re: Identifying files that were 'allowed' but are know known to be malicious in General Topics

Identifying files that were 'allowed' but are now known to be malicious

r_gine — Thu, 03 Sep 2015 16:57:18 GMT

Wondering how others are tracking down files that were allowed through the firewall but later determined to be malicious (as a result of WF analysis)

Re: Identifying files that were 'allowed' but are know known to be malicious

mvidic — Thu, 03 Sep 2015 06:12:52 GMT

In my experience malicious files are usualy downloaded via http or sent by email.

In case of direct http access you can easily find the potentialy infected host easily from PA logs. In case of proxy access it is necessary to determine the end host from proxy server logs. PAN-OS 7.0 offers some extended XFF features and should be possible to read the end host directly from PA logs although I haven't tested it in production. In case of malicious email attachements it is necessary to determine end meilbox from the mail server logs.

Hope it helps.

Re: Identifying files that were 'allowed' but are know known to be malicious

r_gine — Thu, 03 Sep 2015 14:22:51 GMT

Thanks -- I don't think I was very clear in asking my question.

For this example, let's consider the case of an SMTP message with an attachment (Word Doc). (assuming the Palo is configured to forward all file types to the WildFire public cloud for malware analysis)

1. If the data filtering log were to show 'wildfire-upload-skip', one could conclude that that file (hash) had been previously seen by WildFire. The file would not be uploaded to WildFire for analysis. If that file was deemed do be malicious by WildFire, the file would be 'Denied' and probably recieve a 'subtype' of 'wildfire-virus'.

2. If the data filtering log were to show 'wildfire-upload-success', one could conclude that the file had not seen before by WildFire and that the file would allowed through the filewall (and on to the e-mail gateway and mail server). At this point, I want to know if that file/hash comes back from WF categorized as 'malicious'.

We are not logging 'benign' results from WildFire. I made the assumption that when I look in the 'WildFire Submission' log, those would show me the WF submissions that returned as malicious (and had been previously allowed through into the net work) however when I search for those files in my mail server and gateway, they're not there.

Re: Identifying files that were 'allowed' but are know known to be malicious

mvidic — Fri, 04 Sep 2015 10:16:10 GMT

You are correct. Malicious files visible in the WildFire submission logs should mean that they were allowed thorugh the FW.

Please note that wildfire-upload-skip doesn't necesseriaily mean that file will be blocked by AV profile. Wildfire-upload-skip only means that file was already uploaded to the cloud. There could be some scenarios when the file won't be uploaded because it is already being analyzed by the cloud but will not be blocked because verdict is not yet available or FW hasn't been updated yet.