Identifying files that were 'allowed' but are now known to be malicious

L1 Bithead

Identifying files that were 'allowed' but are now known to be malicious

Wondering how others are tracking down files that were allowed through the firewall but later determined to be malicious (as a result of WF analysis)

L2 Linker

In my experience malicious files are usualy downloaded via http or sent by email.

In case of direct http access you can easily find the potentialy infected host easily from PA logs. In case of proxy access it is necessary to determine the end host from proxy server logs. PAN-OS 7.0 offers some extended XFF features and should be possible to read the end host directly from PA logs although I haven't tested it in production. In case of malicious email attachements it is necessary to determine end meilbox from the mail server logs.

Hope it helps.

L1 Bithead

Thanks -- I don't think I was very clear in asking my question.


For this example, let's consider the case of an SMTP message with an attachment (Word Doc). (assuming the Palo is configured to forward all file types to the WildFire public cloud for malware analysis)


1. If the data filtering log were to show 'wildfire-upload-skip', one could conclude that that file (hash) had been previously seen by WildFire. The file would not be uploaded to WildFire for analysis. If that file was deemed do be malicious by WildFire, the file would be 'Denied' and probably recieve a 'subtype' of 'wildfire-virus'. 


2. If the data filtering log were to show 'wildfire-upload-success', one could conclude that the file had not seen before by WildFire  and that the file would allowed through the filewall (and on to the e-mail gateway and mail server). At this point, I want to know if that file/hash comes back from WF categorized as 'malicious'.


We are not logging 'benign' results from WildFire. I made the assumption that when I look in the 'WildFire Submission' log, those would show me the WF submissions that returned as malicious (and had been previously allowed through into the net work) however when I search for those files in my mail server and gateway, they're not there. 



L2 Linker

You are correct. Malicious files visible in the WildFire submission logs should mean that they were allowed thorugh the FW.


Please note that wildfire-upload-skip doesn't necesseriaily mean that file will be blocked by AV profile. Wildfire-upload-skip only means that file was already uploaded to the cloud. There could be some scenarios when the file won't be uploaded because it is already being analyzed by the cloud but will not be blocked because verdict is not yet available or FW hasn't been updated yet.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!