- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-27-2018 12:18 PM - edited 03-27-2018 12:20 PM
Hi,
We are getting several "WildFire Post Detection" events. The source signer is unknown (or not signed at all).
Unlike files that are often identified as malware, only to be analysed in WildFire and come back as benign, these files remain as verdict "Malware".
When I look at the WildFire report, static analysis seems to flag these with some suspicious activity (none of which looks particularly concerning in the context of the file and what we know of it). Dynamic analysis shows the file as benign.
I can't find a good explaination in the KB or admin guide on WildFire Post Detection events - everything refers to the event when the signer is trusted (which is not the case here).
Thanks!
Shannon
03-29-2018 05:21 AM
Hi,
wildfire post detection means that in first step the local analysis of the client has flagged the executable/macro/DLL as benign. In parallel the file is uploaded to wf and analysed by static analysis and dynamic one. Afterwards the wildfire verdict is malware for your file. ESM gets the verdict and creates this wildfire post detection event, because the local analysis verdict (benign) from the endpoint is changed to malware (wf verdict). So if this is your intial run of this file and you are running on prevention mode, the file would have been executed on the client. After the wf verdict is available on the esm, further execusions would be blocked.
In your case it does not matter, because you have applied a notification rule, so every file can be executed independently of the verdict.
To point 3: I would say, you are right. Maybe paloalto engineer or pan support can give you deeper information.
I hope that helps you.
BR,
Jan
03-29-2018 05:21 AM
Hi,
wildfire post detection means that in first step the local analysis of the client has flagged the executable/macro/DLL as benign. In parallel the file is uploaded to wf and analysed by static analysis and dynamic one. Afterwards the wildfire verdict is malware for your file. ESM gets the verdict and creates this wildfire post detection event, because the local analysis verdict (benign) from the endpoint is changed to malware (wf verdict). So if this is your intial run of this file and you are running on prevention mode, the file would have been executed on the client. After the wf verdict is available on the esm, further execusions would be blocked.
In your case it does not matter, because you have applied a notification rule, so every file can be executed independently of the verdict.
To point 3: I would say, you are right. Maybe paloalto engineer or pan support can give you deeper information.
I hope that helps you.
BR,
Jan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!