https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5623#M4115 <HTML><HEAD></HEAD><BODY><P>But doesn't the hash change if the file name changes?</P></BODY></HTML> Wed, 18 Jun 2014 16:18:51 GMT mrsold 2014-06-18T16:18:51Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5619#M4111 <HTML><HEAD></HEAD><BODY><P>Have a question about the functionality of WildFire.&nbsp; Here is the scenario (assume we have a WildFire subscription so we are getting updates every 30 minutes):</P><P></P><OL><LI>User gets an email to download "file.exe" at 0800</LI><LI>This hash does not match anything and is sent up to the cloud for analysis.</LI><LI>Analysis confirms this file is / has malware - it has not seen this malware before so a new signature is generated - lets say for arguments sake it turns it around fast and is updated at 0830</LI><LI>Another user comes in at 0900 and gets the same email with the same link to the same file and clicks the link ... </LI></OL><P></P><P>Will the PA stop that user from downloading that file?</P></BODY></HTML> Wed, 18 Jun 2014 13:12:57 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5619#M4111 mrsold 2014-06-18T13:12:57Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5620#M4112 <HTML><HEAD></HEAD><BODY><P>Hello Mrsold,</P><P></P><P>Yes, PA should stop that user from downloading that file. </P><P></P><P>Few more info for your reference:-</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6589">WildFire</A> &gt;&gt;&gt;&gt;&gt;&gt;&gt; Page no 2 (How Does WildFire Work?)</P><P></P><P>The new <SPAN class="GINGER_SOFTWARE_mark">signature</SPAN> will be distributed within 30-60 minutes to all Palo Alto Networks firewalls&nbsp; <SPAN style="font-size: 10pt; line-height: 1.5em;">equipped</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> with a WildFire subscription, or the following day as part of the antivirus update for firewalls equipped&nbsp; </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">with</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> a Threat Prevention subscription only.</SPAN></P><P></P><P>NOTE: C<SPAN style="font-size: 10pt; line-height: 1.5em;">ontinue</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> or continue-and-forward, you can only choose the application web-browsing. If you choose any other application, traffic that matches the security policy will not flow through the firewall due to the fact that the users will not be prompted with a continue page.</SPAN></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 18 Jun 2014 14:37:49 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5620#M4112 HULK 2014-06-18T14:37:49Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5621#M4113 <HTML><HEAD></HEAD><BODY><P>Thanks Hulk.</P><P></P><P>So I'm assuming the hash associated with "file.exe" is hashed and subsequently blocked by WildFire / Threat Prevention - obviously if that same malware were to be packaged in a different exe, say "file1.exe" the process would have to start over...</P><P></P><P>-Mike</P></BODY></HTML> Wed, 18 Jun 2014 15:38:59 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5621#M4113 mrsold 2014-06-18T15:38:59Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5622#M4114 <HTML><HEAD></HEAD><BODY><P>Hello Mike,</P><P></P><P>PAN will check the hash of that file, hence not matter, what <SPAN class="GINGER_SOFTWARE_mark">file name</SPAN> it is <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>file.exe or file1.exe).</P><P></P><P>Few more info:</P><P></P><P>To verify, if <SPAN class="GINGER_SOFTWARE_mark">any files</SPAN> have been forwarded to the server, enter the following command: </P><P>&gt; <SPAN class="GINGER_SOFTWARE_mark">show</SPAN> wildfire status </P><P></P><P></P><P>Connection info: </P><P>Wildfire cloud: default cloud </P><P>Status: Idle </P><P>Best server: va-s1.wildfire.paloaltonetworks.com </P><P>Device registered: yes </P><P>Service route IP address: 192.168.1.1 </P><P>Signature verification: enable </P><P>Server selection: enable </P><P>Through a proxy: no </P><P>Forwarding info: </P><P><SPAN class="GINGER_SOFTWARE_mark">file</SPAN> size limit (MB): 2 </P><P><SPAN class="GINGER_SOFTWARE_mark">file</SPAN> idle time out (second): 90 </P><P><SPAN class="GINGER_SOFTWARE_mark">total</SPAN> file forwarded: 0 &gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt; </P><P><SPAN class="GINGER_SOFTWARE_mark">forwarding</SPAN> rate (per minute): 0 </P><P><SPAN class="GINGER_SOFTWARE_mark">concurrent</SPAN> <SPAN class="GINGER_SOFTWARE_mark">files</SPAN>: 0 </P><P></P><P></P><P>The total file forwarded counter will provide the number of files being forwarded to the server. Data filtering logs can be used to check the status of the file. Here are the three actions available: </P><P>Action-1: Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status possibilities. </P><P>Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy. The PE file is buffered in the management plane. </P><P>If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent <SPAN class="GINGER_SOFTWARE_mark">for</SPAN> previously seen benign files). There will not be an entry in the WildFire Web portal for these files. </P><P></P><P>Thanks</P></BODY></HTML> Wed, 18 Jun 2014 15:58:07 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5622#M4114 HULK 2014-06-18T15:58:07Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5623#M4115 <HTML><HEAD></HEAD><BODY><P>But doesn't the hash change if the file name changes?</P></BODY></HTML> Wed, 18 Jun 2014 16:18:51 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5623#M4115 mrsold 2014-06-18T16:18:51Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5624#M4116 <HTML><HEAD></HEAD><BODY><P>Hello Mrsold,</P><P></P><P>PAN firewall will check the content of the file to calculate hash, not the file name. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> That is the reason, even if you will change the file name/extension still PAN firewall will be identify the same threat. </P><P></P><P>Thanks</P></BODY></HTML> Wed, 18 Jun 2014 16:41:51 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5624#M4116 HULK 2014-06-18T16:41:51Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5625#M4117 <HTML><HEAD></HEAD><BODY><P>In the same context, can anybody explain this behavior:</P><P></P><P>I am sometimes receiving 3 WildFire analysis reports for exactly the same file, same URL the file is residing on, same source and destination, but 3 different hashes.</P><P></P><P>Thank you</P></BODY></HTML> Wed, 08 Oct 2014 16:02:25 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5625#M4117 MMCiobanu 2014-10-08T16:02:25Z https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5626#M4118 <HTML><HEAD></HEAD><BODY><P>They're repacking their malware file so it avoids signature matching security engines?</P></BODY></HTML> Wed, 22 Oct 2014 10:57:09 GMT https://live.paloaltonetworks.com/t5/general-topics/wildfire-question/m-p/5626#M4118 santonic 2014-10-22T10:57:09Z