Question about threat logs - Type wildfire-virus

Reply
Highlighted
L4 Transporter

Question about threat logs - Type wildfire-virus

Hi all,

 

just wondering why I see in our threat logs entries with the type wildfire-virus only for the application smtp...

 

(I would like to post some screenshots, but I cant find the upload button?)

 

 What is the type wildfire-virus standing for? And where can I enable it for other applications as well?

prb
L3 Networker

Re: Question about threat logs - Type wildfire-virus

Hi @Hithead,

 

wildfire-virus is a subtype used for wildfire signatures delivered using wildfire signature database, to differentiate from regular anti-virus signatures. 

In short,

AV signatures are identified using subtype virus.

Wildfire signatures are identified using subtype wildfire-virus.

 

Hope this helps.

 

Thank You.

 

L4 Transporter

Re: Question about threat logs - Type wildfire-virus

thank you very much vor your response.

 

But I'm still wondering, why I see wildfire-virus logs only in combination with smtp... I guess wildfire-virus should also track and identify threats on other protocols/applications as well...

 

 

prb
L3 Networker

Re: Question about threat logs - Type wildfire-virus

Hi @Hithead

 

Sure it should inspect traffic from other decoders as well.wildfire.JPG

 

Wildfire action is set using the highlighted column in anti-virus profile.

 

You might need to check lot of other factors -

1. What is the action for other decoders than smtp?

2. The policy to which the AV profile is applied. Does it process other kind of traffic?

3. If it does, do the other traffic actually carry any threat data? 

4. Do you have any exceptions applied under applications tab in the screenshot above?

Etc.

 

Thank You.

L4 Transporter

Re: Question about threat logs - Type wildfire-virus

1. What is the action for other decoders than smtp?

Action: all block; WildFire Action: all block

 

2. The policy to which the AV profile is applied. Does it process other kind of traffic?

no diffrent AV profile is used between other rules. but the policy for smtp only allow smtp (app-default) traffic.

 

3. If it does, do the other traffic actually carry any threat data? 

threat data on other policies are there (except wildfire-virus)

 

4. Do you have any exceptions applied under applications tab in the screenshot above?

nope

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!