Trouble differentiating between malware already seen by WildFire and malware 'first seen' by WildFire

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Trouble differentiating between malware already seen by WildFire and malware 'first seen' by WildFire

L1 Bithead

I'm having trouble determining which malware has already been seen by WildFire (therefore it was not re-sent for analysis and blocked by the FW) vs. a file that our organization sent to WF and was determined to be malicious after analysis (not seen before by WF) . This would significantly help our organization respond to malicious files that may have made it to internal systems (mail servers, desktop, etc). Right now, I go into the analysis report and look at the first seen date... I know there's a better way.

Thanks!

3 REPLIES 3

L4 Transporter

Hello r_gine,

If a file has already been seen by wildfire then it will show as wildfire skip in the log.

Ben

L6 Presenter

In Data Filtering log:

- action 'wildfire-upload-success' means file was first seen by your device,

- action 'wildfire-upload-skip' means file was already known to WF

Yes, unfortunately you need to look in 2 log files to see if it was malicious and if you were first to see it.

In addition to what @santonic said, you should have a look at WildFire Submissions log. By default it will only display malicious files that were uploaded to the cloud, from which we can conclude that those files have not been previously seen by the WF cloud, were not blocked and made it through to your network.

You can also turn on option Device > Setup > Wildfire > Report benign files. With this option enabled Wildfire Submissions log wil also display Benign files which were uploaded to the cloud.

  • 3867 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!