topic Wildfire feedback in General Topics

Wildfire feedback

alliance — Wed, 09 Nov 2011 15:41:41 GMT

Hello all,

As many of you guys, we have downloaded and installed the latest version of PAN OS - 4.1.0

Do you have by any chance first feedbacks about the new wildfire feature ?

Although the configuration is pretty straight & easy, we notice some strange behaviours:

For example, a EXE file is seen as a virus (Trojan/Win32.autohk.bd) by the threat prevention. However, when this very same file is sent to wildfire, and after a short analysis, this file is noted as "benign".

Do other people notice the same thing ?

Moreover, can we find somewhere a documentation about the meaning of all counters shown in the "show wildfire statistics" ?

For example, "FWD_CNT_LOCAL_FILE", etc.

We'll be happy to hear about your first feedbacks about this new feature.

Regards,

Re: Wildfire feedback

mharding — Wed, 09 Nov 2011 17:51:15 GMT

The short answer would be files moving on the wire look different once they are on the system and running. I'm guessing Wildfire allows Palo Alto to bridge the gap between false positives and the real deal in their signatures.

Re: Wildfire feedback

migration — Wed, 09 Nov 2011 18:40:13 GMT

I have yet to download and install 4.1, but it was my understanding that Wildfire was not on by default... Is that correct?

Re: Wildfire feedback

alliance — Wed, 09 Nov 2011 19:49:09 GMT

Umphmahardingu > Do you mean that if Wildfire ran the EXE and found the file as "begnin" and if the Threat Prevention of PAN device based on signatures considered the EXE as a trojan, the reality is that the EXE is indeed a trojan but harmless for hosts ? In other words in this particular case, does it mean that the trojan detected by the threat prevention is a false positive one... ?

prince.mcdonald > It is correct: You have to configure first a file blocking profile with the action "forward" or "continue-and-forward' (if you want the drive-by-download feature as well). Then, you will apply this FB profile on the FW rules.

Regards,

Re: Wildfire feedback

tettema — Wed, 09 Nov 2011 19:53:37 GMT

There are several reasons that a file caught by an AV signature might not

be categorized as malicious by WildFire. WildFire does not use

signatures, but instead actually runs the sample in a virtual sandbox and

analyzes its behavior for potentially malicious actions. It is possible

that the actions performed by the sample were not by themselves

sufficiently malicious for WildFire to automatically call it malware,

whereas the sample may have also been analyzed manually by the AV

community, which labeled it a virus based on a variety of factors. For

example, virus signatures are often created for "potentially unwanted"

software that might not perform blatantly malicious actions by itself. It

is also possible that the AV signature hit is a false positive. Feel free

to send samples of suspected false positives or false negatives our way

for analysis.

Using Palo Alto Networks in-line antivirus protection together with

WildFire behavioral analysis provides a layered defense-in-depth approach

to protecting networks from the modern malware threat.

Re: Wildfire feedback

tettema — Wed, 09 Nov 2011 19:53:56 GMT

Correct. To allow your device to use WildFire, you need to create or edit

a file blocking profile by setting an action of "forward" or

"continue-and-forward" for Portable Executable (PE) files types, and apply

this profile to a security policy that matches the traffic you wish to

analyze (inbound Internet traffic, typically). You can also manually

upload files for analysis through your web browser at the WildFire web

portal (wildfire.paloaltonetworks.com) by clicking the Upload button.

Re: Wildfire feedback

fcellini — Tue, 10 Jan 2012 20:54:51 GMT

Wich kind of policy do you use? from "outside or untrust" any to "inside or trust" any etc... with profile file blocking with a file blocking policy who check exe and dll files, in direction download or both direction with action continue and forward?

Re: Wildfire feedback

mikand — Tue, 10 Jan 2012 22:18:56 GMT

Speaking of wildfire... I assume that "bening" means that "file ok"?

Because I have manually uploaded a file thats anything but "bening" but wildfire still draws the conclusion that the file is bening (even if the report detected that the file tries to drop stuff at c:\sample.exe and modify registry and other kind of dirty work).

Is there perhaps some document who better describes why wildfire thinks stuff is bening while it obviously isnt (at least from my point of view 😉 ?

Re: Wildfire feedback

bradenmcg — Tue, 10 Jan 2012 22:41:40 GMT

http://en.wiktionary.org/wiki/benign

Presumably the wildfire system isn't as thorough as you are assuming. Plus, just because an exe tries to create another exe in c:\ doesn't necessarily mean it is bad - this is effectively what installers do.

Re: Wildfire feedback

tettema — Tue, 10 Jan 2012 22:48:14 GMT

WildFire categorizes files as "benign" or "malicious" based on analysis of actions the sample performs as it runs in a virtualized environment. This system is very effective at finding previously unknown "zero-day malware", but it can never be 100% fool proof. It is possible for malware to not perform anything overtly malicious while it is under analysis. It is also possible for the behaviors performed by the malware to not be sufficiently malicious for WildFire to label it malware. If you have a sample you think should be categorized as malware but was categorized as benign, feel free to send it our way and we'll take a look. We are constantly adding behaviors for WildFire to look for in order to correctly categorize malware.