Wildfire Submissions Log Verdict Mismatch with Wildfire Portal

by rcole on ‎05-31-2016 12:21 PM - edited on ‎05-31-2016 02:58 PM by (5,868 Views)

Issue

A Wildfire Submissions log entry has a verdict that does not match the current verdict of a sample that is displayed in the Wildfire Analysis Report or the Wildfire Portal.

 

Cause

Sometimes sample verdicts can change after their initial analysis.  For example, this could occur when a sample is reanalyzed with new features or indicators, when manual analysis is performed by our threat research team, or when new threat intelligence becomes available.

 

However, if the PAN-OS Wildfire Submissions logs are recorded on the device before the verdict change happened, they will continue to show the initial verdict from when the sample was originally analyzed, as this is stored locally on the PAN-OS device in corresponding log entries.

 

To validate the current verdict of a sample, do the following:

 

 

  • Open the corresponding log entry in the Wildfire Submissions log by clicking the magnifying glass icon to the left of the log entry. Then, click the "Wildfire Analysis Report" tab to request the analysis report from the Wildfire public-cloud to display the current verdict.

  

Example

To illustrate this visually, let's use the following hash sample, SHA256 -

04ff6cfdd3f3a3e8b4c2ba8cf0b690d142404ed67cf6849b2b51b01834af1adf

 

When this PAN-OS device first submitted the sample to Wildfire on 2/10 at 07:24:21, it was deemed to have a verdict of "Malicious." See Figure 1 below:

 

2016-05-31_wf1.pngFIGURE 1 - detail from WildFire logs in the WebGUI - showing malicious statusNow let's validate what the current verdict is. Click the spyglass to the left, and click "Wildfire Analysis Report". See Figure 2 below.

2016-05-31_wf2.pngFIGURE 2  - detail from WildFire Analysis Report - showing Benign status

 

We can see that the verdict is currently "Benign," and was last updated on 2016-02-22.

 

If we want to validate through the Wildfire Portal, navigate to:

https://wildfire.paloaltonetworks.com/wildfire/reportlist 

and query the hash value of the sample, which will show the same data as present above.

 

Additionally, please note that Wildfire email notifications contain only the current verdict at the time of submission. If a verdict changes after this analysis is delivered via email notification, there will be no additional notification. However, the next time the same sample hash is submitted to Wildfire, it will return the current and updated verdict. 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community