Traps 4.1 WildFire Post Detection

Reply
L2 Linker

Traps 4.1 WildFire Post Detection

Hi,

 

We are getting several "WildFire Post Detection" events. The source signer is unknown (or not signed at all).

 

Unlike files that are often identified as malware, only to be analysed in WildFire and come back as benign, these files remain as verdict "Malware".

 

When I look at the WildFire report, static analysis seems to flag these with some suspicious activity (none of which looks particularly concerning in the context of the file and what we know of it). Dynamic analysis shows the file as benign.

 

  1. Can someone please explain the "WildFire Post Detection" logic? What is this and how does it work?
  2. The "Action" is "notification" - does this mean that the user will continue to be able to run the file, or simply that, as it is a "post detection" event, the initial attempt was allowed, but now WildFire has flagged the file, further attempts will be blocked?
  3. Is my understanding correct in that it was flagged as malware due to the static analysis items in the WildFire report, or is it possibly due to something else I am not seeing? How can I know for sure?

I can't find a good explaination in the KB or admin guide on WildFire Post Detection events - everything refers to the event when the signer is trusted (which is not the case here).

 

 

Thanks!

Shannon

L1 Bithead

Re: Traps 4.1 WildFire Post Detection

Hi,

 

wildfire post detection means that in first step the local analysis of the client has flagged the executable/macro/DLL as benign. In parallel the file is uploaded to wf and analysed by static analysis and dynamic one. Afterwards the wildfire verdict is malware for your file. ESM gets the verdict and creates this wildfire post detection event, because the local analysis verdict (benign) from the endpoint is changed to malware (wf verdict). So if this is your intial run of this file and you are running on prevention mode, the file would have been executed on the client. After the wf verdict is available on the esm, further execusions would be blocked.

In your case it does not matter, because you have applied a notification rule, so every file can be executed independently of the verdict.

 

To point 3: I would say, you are right. Maybe paloalto engineer or pan support can give you deeper information.

 

I hope that helps you.

 

BR,

Jan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!