https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/199548#M59124 <P>Dear BPry,</P><P>&nbsp;</P><P>Many thanks for your reply and theory for why the email was allowed despite being malicious.</P><P>&nbsp;</P><P>I have captured the timestamps of the Wildfire evets here, in case that helps accurately diagnose the issue:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WildFire Summary 1.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13719iD2C9826B64CA4B6F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="WildFire Summary 1.jpg" alt="WildFire Summary 1.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><DIV><P class="sectionTitle">WildFire Analysis Summary</P></DIV><DIV>&nbsp;</DIV><DIV><DIV class=" x-panel list-view"><DIV class="x-panel-header x-unselectable"><SPAN class="x-panel-header-text">File Information</SPAN></DIV><DIV class="x-panel-bwrap"><DIV class="x-panel-body"><DIV class="x-list-wrap"><DIV class="x-list-body"><DIV class="x-list-body-inner"><EM>File Type</EM> <EM>JAVA JAR</EM><DIV class="x-clear">&nbsp;</DIV><EM>File Signer</EM><DIV class="x-clear">&nbsp;</DIV><EM>SHA-256</EM> <EM>149862f4894c9dba2b21b507fa7bde835e6a6a44e35040331c5ab1de3ec4027d</EM><DIV class="x-clear">&nbsp;</DIV><EM>SHA1</EM> <EM>b8aed21b09bda3f02c54c53267ba696a1286e092</EM><DIV class="x-clear">&nbsp;</DIV><EM>MD5</EM> <EM>0ecacad6f88e1ddb859e881c1662b4a9</EM><DIV class="x-clear">&nbsp;</DIV><EM>File Size</EM> <EM>556535 bytes</EM><DIV class="x-clear">&nbsp;</DIV><EM>First Seen Timestamp</EM> <EM>2018-01-26 06:28:06 UTC</EM><DIV class="x-clear">&nbsp;</DIV><EM>Verdict</EM> <EM><STRONG>malware</STRONG></EM><DIV class="x-clear">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp;</P><P>Does this information give more visibility to the issue?</P><P>&nbsp;</P><P>Many thanks,</P><P>Steve</P><P>&nbsp;</P> Thu, 08 Feb 2018 09:37:04 GMT Steve-Phillips 2018-02-08T09:37:04Z https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/197798#M58773 <P>Hello Everyone,</P><P>&nbsp;</P><P>New to Palo Alto firewalls and new to this forum.</P><P>&nbsp;</P><P>Can I please ask how I go about changing the Wildfire action on a jar file to block?&nbsp; The action for this file has been to allow the file, despite the file being flagged as "malicious, as can be seen below:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Wildfire jar.jpg" style="width: 793px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13481i1D86A27F5CEE1AB4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Wildfire jar.jpg" alt="Wildfire jar.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>I wish to change the action to "block", as is the case with the&nbsp;"pe" files I can see in the Wildfire logs, as can be seen here:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Wildfire logs.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13482i6A2B5F12D023BC55/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Wildfire logs.jpg" alt="Wildfire logs.jpg" /></span></P><P>&nbsp;</P><P>Many thanks in advance.</P><P>&nbsp;</P><P>Regards,</P><P>Steve</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 31 Jan 2018 09:34:03 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/197798#M58773 Steve-Phillips 2018-01-31T09:34:03Z https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/197953#M58796 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/66688">@Steve-Phillips</a>,</P><P>Within the Antivirus Security Profile that is assigned to the rule allowing the SMTP traffic to pass, you'll have to modify the 'WildFire Action' to reset-both instead of the default action of 'alert'. This article <A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Enable-WildFire-to-Block-File-with-malicious-Verdict/ta-p/54376" target="_blank">HERE</A>&nbsp;should point you in the proper direction</P> Wed, 31 Jan 2018 16:14:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/197953#M58796 BPry 2018-01-31T16:14:45Z https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/198279#M58870 <P>Dear BPry, many thanks for your reply.</P><P>&nbsp;</P><P>I have checked the Anti-Virus profile that is assigned to the applicable rule (Internet to Email Gateway) and the WildFire action is set to "reset-both" for all the listed decoders, including smtp, as can&nbsp;be seen here:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Corp Anti-Virus.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13596i3B13266C6E7F570A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Corp Anti-Virus.jpg" alt="Corp Anti-Virus.jpg" /></span></P><P>&nbsp;</P><P>It would therefore seem that some other setting is at play here that is not immediately obvious.</P><P>&nbsp;</P><P>I have examined the WildFire&nbsp;Analysis security profile, but this is set to analyze any file type and any application, so there does not appear to be a applicable setting here:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WildFire Settings.jpg" style="width: 700px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13600iCDBAF1116FBA4BED/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="WildFire Settings.jpg" alt="WildFire Settings.jpg" /></span></P><P>&nbsp;</P><P>I'll continue to investigate..</P><P>&nbsp;</P><P>Regards,</P><P>Steve</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 01 Feb 2018 17:08:17 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/198279#M58870 Steve-Phillips 2018-02-01T17:08:17Z https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/198518#M58916 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/66688">@Steve-Phillips</a>,</P><P>So one thing to potentially think about is if wildfire actually 'knew' about the file yet. A file that hasn't been inspected by WildFire which doesn't have identifyable markers for the Antivirus engine may log an as an 'alert' action until a wildfire signature has been generated for it. That may explain why you are seeing 'alert' actions rather than the desired 'reset-both' with this traffic.&nbsp;</P> Fri, 02 Feb 2018 13:58:46 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/198518#M58916 BPry 2018-02-02T13:58:46Z https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/199548#M59124 <P>Dear BPry,</P><P>&nbsp;</P><P>Many thanks for your reply and theory for why the email was allowed despite being malicious.</P><P>&nbsp;</P><P>I have captured the timestamps of the Wildfire evets here, in case that helps accurately diagnose the issue:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WildFire Summary 1.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13719iD2C9826B64CA4B6F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="WildFire Summary 1.jpg" alt="WildFire Summary 1.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><DIV><P class="sectionTitle">WildFire Analysis Summary</P></DIV><DIV>&nbsp;</DIV><DIV><DIV class=" x-panel list-view"><DIV class="x-panel-header x-unselectable"><SPAN class="x-panel-header-text">File Information</SPAN></DIV><DIV class="x-panel-bwrap"><DIV class="x-panel-body"><DIV class="x-list-wrap"><DIV class="x-list-body"><DIV class="x-list-body-inner"><EM>File Type</EM> <EM>JAVA JAR</EM><DIV class="x-clear">&nbsp;</DIV><EM>File Signer</EM><DIV class="x-clear">&nbsp;</DIV><EM>SHA-256</EM> <EM>149862f4894c9dba2b21b507fa7bde835e6a6a44e35040331c5ab1de3ec4027d</EM><DIV class="x-clear">&nbsp;</DIV><EM>SHA1</EM> <EM>b8aed21b09bda3f02c54c53267ba696a1286e092</EM><DIV class="x-clear">&nbsp;</DIV><EM>MD5</EM> <EM>0ecacad6f88e1ddb859e881c1662b4a9</EM><DIV class="x-clear">&nbsp;</DIV><EM>File Size</EM> <EM>556535 bytes</EM><DIV class="x-clear">&nbsp;</DIV><EM>First Seen Timestamp</EM> <EM>2018-01-26 06:28:06 UTC</EM><DIV class="x-clear">&nbsp;</DIV><EM>Verdict</EM> <EM><STRONG>malware</STRONG></EM><DIV class="x-clear">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp;</P><P>Does this information give more visibility to the issue?</P><P>&nbsp;</P><P>Many thanks,</P><P>Steve</P><P>&nbsp;</P> Thu, 08 Feb 2018 09:37:04 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-enable-wildfire-to-block-jar-file-with-malicious-verdict/m-p/199548#M59124 Steve-Phillips 2018-02-08T09:37:04Z