Did You Know: Batch (.bat) File Analysis

WildFire's Script Sample Support has been expanded to now also support batch (.bat) type files and can classify these using static (scan the code for known strings) and dynamic (run the script in a virtual environment and see what happens) analysis.

Just like with the other supported file types, when a malicious batch file is discovered, the WildFire cloud generates Command and Control (C2) and DNS signatures, which are distributed to all firewalls with an active subscription.

To be able to benefit from the capability to upload these samples, you should verify your firewall has PAN-OS 8.1 or later installed (any maintenance release will do) and the Threat content release package is release 8168 or later.

Any PAN-OS version with an active WildFire subscription will already benefit from the C2 Signatures, and PAN-OS 8.1 and later with an active subscription will be able to benefit from the DNS sinkhole feature.

To enable forwarding of .bat files, once you ensure the appropriate PAN-OS and Threats content package has been installed, access your WildFire Security Profile:

Objects > Security Profiles > WildFire Analysis > <profile> and add the 'script'. File Type to the profile(s) if you haven't done so already

script File Type

NOTE: Add only "script" File Type to public-cloud enabled profiles at this time, as these are not processed yet by private-cloud instances.

Make sure the profile has been added to all appropriate security rules under Policies > Security and monitor hits on this new capability through Monitor > WildFire Submissions

Stay frosty

Reaper

P.S. – You can also upload .bat files manually through the wildfire portal, or use the WildFire API to submit files.

WildFire Documentation:Batch File Analysis