Determining false positives in Wildfire

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Determining false positives in Wildfire

L2 Linker

Disclaimer- I am a big fan of Wildfire. Since implementing it the beginning of this month, it has shed much light on malicious activity on our network. Thanks for it!

Like others in related posts, I would like to know more about the criteria for determining the verdict of malware. I received a report this mornting that a Dell BIOS file, DMC521-010111.EXE, was malware. This file came from Dell, and only one anitvirus software, Comodo, recognizes it as malicious.

Is it possible that by nature of a bios update, this exe, while appearing to do malicious things, is actually ok?

I'm also unclear about the process of wildfire- when a file is accessed by a user, I assume the user is allowed to download the unknown file, then it is uploaded to wildfire, then if determined malicious is written to an update. Once the update is applied, no other users can download that file, correct?

Robert

1 accepted solution

Accepted Solutions

L3 Networker

Thanks for your feedback on WildFire, we're glad it's useful.  Regarding your sample, we looked into it and determined that it was mistakenly labeled as malware because it was analyzed before we added Dell to our list of trusted authors.  The sample you submitted did many suspicious looking things, which can be perfectly legitimate for the type of application that it was.  The issue was corrected, and future submissions from Dell should not run into this issue.

To answer your other questions, yes, the file is delivered to the host without any interruption the first time it is seen.  It is analyzed by WildFire, and a forensics report along with a verdict is made available in the WildFire web portal.  You can use the data in the report to identify the affected host, check host-based AV coverage status, verify infection, and perform remediation, if needed.  If WildFire determines the sample to be malware, an AV signature is automatically generated and included in the next daily AV update, so future instances can be blocked at the firewall.

View solution in original post

5 REPLIES 5

L3 Networker

Thanks for your feedback on WildFire, we're glad it's useful.  Regarding your sample, we looked into it and determined that it was mistakenly labeled as malware because it was analyzed before we added Dell to our list of trusted authors.  The sample you submitted did many suspicious looking things, which can be perfectly legitimate for the type of application that it was.  The issue was corrected, and future submissions from Dell should not run into this issue.

To answer your other questions, yes, the file is delivered to the host without any interruption the first time it is seen.  It is analyzed by WildFire, and a forensics report along with a verdict is made available in the WildFire web portal.  You can use the data in the report to identify the affected host, check host-based AV coverage status, verify infection, and perform remediation, if needed.  If WildFire determines the sample to be malware, an AV signature is automatically generated and included in the next daily AV update, so future instances can be blocked at the firewall.

Im a bit allergic that just because its signed it will be marked clean.

Didnt Realtek got their signing cert stolen a few years ago (and some others last year)?

This way wildfire will fail detecting future stuxnet-like malware.

Perhaps the GUI of wildfire should be upgraded to handle this case?

Like yes this app acts very odd but its signed by a "trusted" issuer.

And where can one see which certs the wildfire trust by default?

I think this can be bad for the reputation of wildfire if badware wont be detected due to that PA for some reason trusts a specific vendor.

Flame is another good example why you should not trust signed code...

Flame worm was signed by forged Microsoft certificate

Hello,

I totally support your statement about signed executables being excluded.

That being said, most installers and driver software are doing 'nasty' things like install files in system folders , hard drive sectors , changing low level sytem settings and such , so tend to be flagged as malicious ... Or is it just a matter fine tuning wildfire engine ? Is it really possible ?

Anyway, great job on these live sandbox execution and reports.

I've got a silly question : do you also execute EXEs that are installed by an installer itself ? It seems that you aren't at first look.

L0 Member

How does a vendor get into that trusted vendor list?

  • 1 accepted solution
  • 6874 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!