Wildfire Signature Based Blocks

Reply
L4 Transporter

Wildfire Signature Based Blocks

Hopefully a quick question - is there any way to determine whether a executable has been blocked because it was a Wildfire derived signature (for paying customers).  It may be obvious when it happens, but hard to know if it has etc.

Would like to be able to correlate the protection afforded by the service by providing a discrete count of executables blocked, and report them seperately from 'normal' AV blocks.

Thanks

Tags (1)
Highlighted
L5 Sessionator

Re: Wildfire Signature Based Blocks

Can you please try querying for (subtype eq wildfire) in the threat logs

L4 Transporter

Re: Wildfire Signature Based Blocks

Hi APackard,

Or you can go for an ID between 3 and 4 million in a report.  Remembering that WildFire signatures will end up in the regular AV ID range (between 2 and 3 million - well 299999 to be precise) once processed for customers with a threat license.

Good Luck!

L4 Transporter

Re: Wildfire Signature Based Blocks

Please take a look into PAN 5.0.10 fixes:

57763—When WildFire Action was configured as "default(Block)" in Antivirus profile,

block action didn't take effect as the default action was not configured internally. The

workaround is to configure WildFire Action as "Block" instead of "default(Block)".

Probalby your device didn't block any of the file...

Regards

SLawek

L4 Transporter

Re: Wildfire Signature Based Blocks

Thanks all, I'll check these out once I've got enough historical data with a 'paid-for' WildFire service to validate the results.

One other related question - is there, or is there a plan, to annotate the WildFire report with an attribute (or similar) as to the resultant signature e.g. if I logon to my portal and check a report after a couple of hours it'll tell me which WildFire update will protect against a repeat download?

Thanks

L4 Transporter

Re: Wildfire Signature Based Blocks

Hello Apackard,

As soon as the threat is identified in wildfire with the subscription license in place on device and automatic scheduled updates are set ( lets say an hour ) then the firewall would get the new wildfire version in the next hour. Now any further attempt of such threat traffic on the device it is logged in Wildfire logs and Threat logs. A simple search for threats in the range ( 3 to 4 million ) would give the results of the new threats being controlled.

The same threat will be pushed in next day updates through Antivirus content for other users who do not have wildfire license. Now from here on no more of the wildfire threat logs would be seen as from now it would be filed as antivirus threat.

Hope this helps !

Thanks

Not applicable

Re: Wildfire Signature Based Blocks

James@PANW wrote:

Hi APackard,

Or you can go for an ID between 3 and 4 million in a report.  Remembering that WildFire signatures will end up in the regular AV ID range (between 2 and 3 million - well 299999 to be precise) once processed for customers with a threat license.

Good Luck!

Just for clarification on my part.  A threat ID'd by WildFire in the 3mil+ range is changed to a regular threat value after it's rolled into the standard 24-hour update?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!