03-01-2013 08:36 AM
The first question I have is how many layers will the file blocking inspect? For example, a zip in a zip has an exe that is malicious. If the PA doesn't inspect that far down wouldn't I be able to get through the firewall inspection?
If the above is true and I am the security network guy that wants to block this behavior, could I set up wildfire to forward-and-continue to block this? In other words, I am aware that the limit is 4 layers deep (if that is actually the depth) and I want to make sure this is not a limitation I would want to set up wildfire to forward .zip files that could potentially have malicious data the normal file blocking mechanism can't see. Also, is wildfire able to tear down a file in such a way that EVERYTHING is seen in the file and run the way the attacker wants it to? Could a file potentially be flagged benign when it's actually malware in wildfire?
If forward-and-continue is on and I deny the file can I get an email notification saying whether or not it was benign or malicious so that i don't have to log into the firewall and check every so often? I'm thinking of an entry box with something to the affect of "Enter you email for results" and then it emails the results.
03-01-2013 11:24 AM
Wow, what great questions you have asked. I will take a first pass at answering a few questions and if others in the forum want to add in or correct my statements, I would welcome it, to make sure everyone has the same understanding. I am going to edit your query and break out just those questions that need comment:
1) The first question is how many layers will the file blocking inspect? For example, a zip in a zip has an exe that is malicious. If the PA doesn't inspect that far down wouldn't I be able to get through the firewall inspection? Well, I am not sure of how many layers, I am confident in my testing that trying to put a zip into a zip (with an exe) has been tested numerous times and I believe Wildfire will check this as one of the many characteristics that are run to see what a file can do inside of Wildfire's virtual environment.
2) Could I set up wildfire to forward-and-continue to block this? Yes. If you create your file blocking rule that ANY zip file was Continue and Forwarded to Wildfire, would allow your use to hit the Continue button and also have it forwarded to Wildfire service.
3) Is wildfire able to tear down a file in such a way that EVERYTHING is seen in the file and run the way the attacker wants it to? Could a file potentially be flagged benign when it's actually malware in wildfire? Well, EVERYTHING is a pretty vague statement. Malware is constantly changing, and Wildfire does its best with its 100+ characteristics that Wildfire looks for when determining what is Benign or has Malware.
4) If forward-and-continue is on and I deny the file can I get an email notification saying whether or not it was benign or malicious so that i don't have to log into the firewall and check every so often? Well, you can DENY the file download, but there is no way to determine if it had malware, because you denied the action of downloading the file. You have ability to log into the Wildfire portal or FW (but not aware of email alerting).
5) I'm thinking of an entry box with something to the affect of "Enter you email for results" and then it emails the results. I have not seen this as an action item. I think you may be able to get email based on Severity Level in your logs, but if you have the Wildfire Service, then results from your uploads will show in this log and not your Threat or Traffic Logs.
03-01-2013 11:56 AM
1. Does anyone know the inspection depth in terms of layer?
2. But this would continue to download the file and not block it?
3. The everything was pertaining to the file itself. For example, if I had an exe in a zip and I selected to forward that to wildfire, would wildfire be able replicate everything the file was designed for?
4. So there isn't a foward-and-maybe I'll click on it later once wildfire has analyzed it? The PA can act as a proxy much like the SSL decryption and say "Hey, I see you don't know what this file is and you don't want to download and THEN send it, so I'll download it for you, forward it for you and then let you know if it's good or bad" That way, the host machine won't find out later after being infected.
5. Probably a feature request for non-admins of the PA device.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
