How to Enable WildFire to block jar file with 'malicious' Verdict

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Enable WildFire to block jar file with 'malicious' Verdict

L2 Linker

Hello Everyone,

 

New to Palo Alto firewalls and new to this forum.

 

Can I please ask how I go about changing the Wildfire action on a jar file to block?  The action for this file has been to allow the file, despite the file being flagged as "malicious, as can be seen below:

 

Wildfire jar.jpg

 

 

I wish to change the action to "block", as is the case with the "pe" files I can see in the Wildfire logs, as can be seen here:

 

Wildfire logs.jpg

 

Many thanks in advance.

 

Regards,

Steve

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

@Steve-Phillips,

Within the Antivirus Security Profile that is assigned to the rule allowing the SMTP traffic to pass, you'll have to modify the 'WildFire Action' to reset-both instead of the default action of 'alert'. This article HERE should point you in the proper direction

Dear BPry, many thanks for your reply.

 

I have checked the Anti-Virus profile that is assigned to the applicable rule (Internet to Email Gateway) and the WildFire action is set to "reset-both" for all the listed decoders, including smtp, as can be seen here:

 

Corp Anti-Virus.jpg

 

It would therefore seem that some other setting is at play here that is not immediately obvious.

 

I have examined the WildFire Analysis security profile, but this is set to analyze any file type and any application, so there does not appear to be a applicable setting here:

 

WildFire Settings.jpg

 

I'll continue to investigate..

 

Regards,

Steve

 

 

 

 

 

 

 

 

 

 

 

@Steve-Phillips,

So one thing to potentially think about is if wildfire actually 'knew' about the file yet. A file that hasn't been inspected by WildFire which doesn't have identifyable markers for the Antivirus engine may log an as an 'alert' action until a wildfire signature has been generated for it. That may explain why you are seeing 'alert' actions rather than the desired 'reset-both' with this traffic. 

Dear BPry,

 

Many thanks for your reply and theory for why the email was allowed despite being malicious.

 

I have captured the timestamps of the Wildfire evets here, in case that helps accurately diagnose the issue:

 

WildFire Summary 1.jpg

 

 

WildFire Analysis Summary

 
File Information
File Type JAVA JAR
 
File Signer
 
SHA-256 149862f4894c9dba2b21b507fa7bde835e6a6a44e35040331c5ab1de3ec4027d
 
SHA1 b8aed21b09bda3f02c54c53267ba696a1286e092
 
MD5 0ecacad6f88e1ddb859e881c1662b4a9
 
File Size 556535 bytes
 
First Seen Timestamp 2018-01-26 06:28:06 UTC
 
Verdict malware
 

 

Does this information give more visibility to the issue?

 

Many thanks,

Steve

 

  • 2933 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!