Nominated Discussion: Verdict "malicious" and action "allow"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "Verdict "malicious" and action "allow"" by @Alpalo and answered by @Raido_Rattameister and @kiwi.

 

Hi team

We are detecting some files with Verdict "malicious" and action "allow"

Alpalo_0-1715594709155.png

Can anybody help us for change the action or other solution?

 

WildFire log?

 

If you click on the magnifying glass, WildFire Analysis Report tab then what does "First Seen Timestamp" show?

WildFire will pass through the malicious file on first instance it sees the file and when verdict comes back from the sandbox it will show if verdict was benign or not. So in those cases you need to analyze workstation to check if it got infected.

 

Starting from 11.0.2 there is new feature "Hold Mode for WildFire Real-Time Signature Lookup"

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/wildfire-features/hold-mode-for-wi...

 

We have wildfire real-time configured and the action is reset-both but we are seeing that the first time the verdict is benign, one the signature is created the verdict changes to malicious but the result keeps being "allow", Is that correct? Is there any way to block this malicious files?

 

This is expected. Please check into the feature Hold Mode for WildFire Real-Time Signature Lookup.

With this feature you can prevent the initial transfer of known malware.

 

WildFire Hold ModeWildFire Hold Mode

 

 

Rate this article:
Comments
L0 Member

Hello,

Thanks for the info I will try to figure it out for more.

Best Regards

esther598

  • 1013 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎05-21-2024 07:39 AM
Updated by: