https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150570#M49978 <P>FYI,</P><P>Your not going to see a submission log for something that has already been identified since your local firewall database already knows about the file, that's why the wildfire test PE is generated per request so that you actually see a submission log. If you are copying an already identified known bad file it can skip the submission process and simply take action based on what it already knows about the file.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>**EDIT**</P><P>and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a>&nbsp;already mentioned this...my bad&nbsp;</P> Fri, 31 Mar 2017 12:54:27 GMT BPry 2017-03-31T12:54:27Z https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150487#M49963 <P>Hello<BR /><BR />I am testing my wildfire configuration .<BR /><BR />1- When I download wildfire test PE file&nbsp; , I get an entry under Wildfire submission log &amp; data filtering log.<BR />2- I intend to test if copying the PE file is also caught by wildfire , so I download a new PE file from wildfire site&nbsp; on a machine that is not protected by wildfire , then copy it across to a machine in another zone . the rule has wildfire and block file&nbsp; . this time we do not get any submission but we see a record under data-filtering.<BR />why there is no wild fire submissions in this case ?<BR /><BR />in first approach , the application is web-browsing<BR />second approach , the application is ms-ds-smb</P><P>&nbsp;</P><P>Is it possible that some applications are excluded from wildfire ? it seems only Risk5 apps are being sent . is there a place to change the behavior ?</P> Thu, 30 Mar 2017 22:47:39 GMT https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150487#M49963 akhalighi 2017-03-30T22:47:39Z https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150525#M49966 <P>Check the threat logs for AV events. File is sent to WF only when WF doesn't know that file yet. If WF has already seen that file it only replies with verdict or apropriate signature, there's no need to upload file again.</P><P>&nbsp;</P> Fri, 31 Mar 2017 06:13:38 GMT https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150525#M49966 santonic 2017-03-31T06:13:38Z https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150533#M49968 <P>"the rule has wildfire and block file"</P> <P>&nbsp;</P> <P>are you blocking the file copy? a blocked session will not be uploaded to wildfire as the file is never completely transferred</P> Fri, 31 Mar 2017 07:05:15 GMT https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150533#M49968 reaper 2017-03-31T07:05:15Z https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150570#M49978 <P>FYI,</P><P>Your not going to see a submission log for something that has already been identified since your local firewall database already knows about the file, that's why the wildfire test PE is generated per request so that you actually see a submission log. If you are copying an already identified known bad file it can skip the submission process and simply take action based on what it already knows about the file.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>**EDIT**</P><P>and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a>&nbsp;already mentioned this...my bad&nbsp;</P> Fri, 31 Mar 2017 12:54:27 GMT https://live.paloaltonetworks.com/t5/general-topics/some-applications-not-being-submitted-to-wildfire/m-p/150570#M49978 BPry 2017-03-31T12:54:27Z