Wildfire - Time required to block known malware

Reply
L4 Transporter

Wildfire - Time required to block known malware

Using the 'free' Wildfire service, does anyone know how long should I expect the delay to be before downloads marked as malware are blocked subsequently?

For example, today we had a download ("pdf_delta_ticket.scr" below) that was logged as upload-skip which to my knowledge means that it has been seen before by this device.  As the last previous upload-success was ~6 days previously (and as it was a DLL it almost certainly wasn't the original download) this seems to suggest that the time taken is more than a few days (we download and install AV updates daily).

Rgds

Highlighted
L5 Sessionator

Re: Wildfire - Time required to block known malware

Whenever a new file is sent to wildfire it is analyzed for various malicious behaviors. You can login to your wildfire portal to check the status of your files i.e only if it is found to be malicious an av signature is created and released. So have you had a chance to look at your wildfire portal @ https://wildfire.paloaltonetworks.com/Wildfire .

Also refer the following documents:-

WildFire Decision Flow

How to Configure Wildfire

Thanks,

Subijith Raghunandan.

L4 Transporter

Re: Wildfire - Time required to block known malware

Yes - I've checked the portal and it is VERY malicious (turning off IE phishing protection, disabling the firewall etc)!

While I understand that some malware is polymorphic and will change it's binary fingerprint, the fact that this was a skipped upload means that it must have been seen before in it's current "guise" and I can only assume that it would have looked just as malicious previously (I can;t see why not). 

As we haven't had a upload for 4 days (and the most likely EXE upload was at least 12 days ago) that seems to suggest that no AV signature has been released in the previous 2 weeks that should have triggered on the re-download (or the signature released failed to match it properly?).

Rgds

L4 Transporter

Re: Wildfire - Time required to block known malware

However - having checked the flowchart in the referenced documents (thanks) I note that the hash check is actually performed in the Palo cloud, not on the PA device - so I guess this means that it is not dependent on the previous upload from our network.

Rgds

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!