A Wildfire Submissions log entry has a verdict that does not match the current verdict of a sample that is displayed in the Wildfire Analysis Report or the Wildfire Portal.
Sometimes sample verdicts can change after their initial analysis. For example, this could occur when a sample is reanalyzed with new features or indicators, when manual analysis is performed by our threat research team, or when new threat intelligence becomes available.
However, if the PAN-OS Wildfire Submissions logs are recorded on the device before the verdict change happened, they will continue to show the initial verdict from when the sample was originally analyzed, as this is stored locally on the PAN-OS device in corresponding log entries.
To validate the current verdict of a sample, do the following:
To illustrate this visually, let's use the following hash sample, SHA256 -
When this PAN-OS device first submitted the sample to Wildfire on 2/10 at 07:24:21, it was deemed to have a verdict of "Malicious." See Figure 1 below:
Now let's validate what the current verdict is. Click the spyglass to the left, and click "Wildfire Analysis Report". See Figure 2 below.
We can see that the verdict is currently "Benign," and was last updated on 2016-02-22.
If we want to validate through the Wildfire Portal, navigate to:
and query the hash value of the sample, which will show the same data as present above.
Additionally, please note that Wildfire email notifications contain only the current verdict at the time of submission. If a verdict changes after this analysis is delivered via email notification, there will be no additional notification. However, the next time the same sample hash is submitted to Wildfire, it will return the current and updated verdict.