How to Enable WildFire to block jar file with 'malicious' Verdict

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How to Enable WildFire to block jar file with 'malicious' Verdict

L2 Linker

Hello Everyone,


New to Palo Alto firewalls and new to this forum.


Can I please ask how I go about changing the Wildfire action on a jar file to block?  The action for this file has been to allow the file, despite the file being flagged as "malicious, as can be seen below:


Wildfire jar.jpg



I wish to change the action to "block", as is the case with the "pe" files I can see in the Wildfire logs, as can be seen here:


Wildfire logs.jpg


Many thanks in advance.







Cyber Elite
Cyber Elite


Within the Antivirus Security Profile that is assigned to the rule allowing the SMTP traffic to pass, you'll have to modify the 'WildFire Action' to reset-both instead of the default action of 'alert'. This article HERE should point you in the proper direction

Dear BPry, many thanks for your reply.


I have checked the Anti-Virus profile that is assigned to the applicable rule (Internet to Email Gateway) and the WildFire action is set to "reset-both" for all the listed decoders, including smtp, as can be seen here:


Corp Anti-Virus.jpg


It would therefore seem that some other setting is at play here that is not immediately obvious.


I have examined the WildFire Analysis security profile, but this is set to analyze any file type and any application, so there does not appear to be a applicable setting here:


WildFire Settings.jpg


I'll continue to investigate..
















So one thing to potentially think about is if wildfire actually 'knew' about the file yet. A file that hasn't been inspected by WildFire which doesn't have identifyable markers for the Antivirus engine may log an as an 'alert' action until a wildfire signature has been generated for it. That may explain why you are seeing 'alert' actions rather than the desired 'reset-both' with this traffic. 

Dear BPry,


Many thanks for your reply and theory for why the email was allowed despite being malicious.


I have captured the timestamps of the Wildfire evets here, in case that helps accurately diagnose the issue:


WildFire Summary 1.jpg



WildFire Analysis Summary

File Information
File Type JAVA JAR
File Signer
SHA-256 149862f4894c9dba2b21b507fa7bde835e6a6a44e35040331c5ab1de3ec4027d
SHA1 b8aed21b09bda3f02c54c53267ba696a1286e092
MD5 0ecacad6f88e1ddb859e881c1662b4a9
File Size 556535 bytes
First Seen Timestamp 2018-01-26 06:28:06 UTC
Verdict malware


Does this information give more visibility to the issue?


Many thanks,



  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!