Not understanding "WildFire: Automatically Detect and Prevent Unknown Threats"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Not understanding "WildFire: Automatically Detect and Prevent Unknown Threats"

L1 Bithead

First of all I'm very impressed with Palo Alto's firewall, I'm definitely a "fan", however we purchased a wildfire subscription under this premise:

WildFireTM simplifies an organization’s response to the most dangerous threats, automatically detecting unknown malware and quickly preventing threats before an enterprise is compromised. Unlike legacy security solutions, WildFire quickly identifies and stops these advanced attacks without requiring manual human intervention or costly Incident Response (IR) services after the fact.

However Wildfire doesn't actually do this, it seems to do the exact opposite when it encounters an unknown file. When wildfire encounters a new file it sends it to the wildfire cloud for analysis as well as allowing it through the firewall. I understand that our little PA-200 can't hold every file and wait for the analysis to come back from Wildfire whether a file is benign or malware and THEN release the file to the network if it's benign, however the advertisement for wildfire would lead you to believe it does just that or something similar to "prevent unknown threats." If we receive an unknown malicious doc file via email (which we usually do almost every day) it will be delivered to the users inbox and a couple hours later I'll get a report that it was malicious. By then our users will have already opened the file, or accused the firewall of not working because they received it, regardless of the complaint it's now on the network.

I have verified our firewall configuration with palo alto support several times and am assured it's functioning as it's intended. Can someone explain how this "automatically detects unknown malware and quickly prevents threats without requiring manual human intervention" as the sales page implies? Wildfire detects threats several hours after the malware has landed on the network and does nothing to stop a user from launching it there after.

Thank you for your time, I am really trying to get a complete understanding of wildfire and not trying to "criticize" it but it doesn't seem to be functioning as advertised.

Luke



5 REPLIES 5

L1 Bithead

From a high level, here's how Wildfire works:

1. File is downloaded and passed to wildfire for analysis

2. File is uploaded and determined to be malicious

3. New wildfire signature is created and downloaded per the settings on your firewall (it's best to set this to a low value to get the fastest response time, take note however that the downloading and application of wildfire signatures is resource consuming and can get in the way of doing a commit)

4. Subsequent files will be handled according to the settings in your ANTIVIRUS policy

The confusion probably lies in the fact that you need to look under the threat prevention tab to see activity from your wildfire module.  This article may help:

Wildfire Signatures vs Threat Prevention Signatures

Hope this helps.

Thank you, I believe I understand the Wildfire process however I think step 1 is where I'm getting tripped up. If the file is downloaded and passed to wildfire for analysis, this is fine for all files that are not malware, however if the file is determined to be malware by Wildfire it's too late, the file has already been downloaded and executed by the user.

Are there any future goals or feature requests that would change the functionality to disallow the file from being downloaded by the client until it has been analyzed by Wildfire? i.e. The file would be downloaded to a temporary location in the firewall, sent to wildfire for analysis, then "released" to the client that downloaded it? I know this is probably wishful thinking but it would be a great benefit and prevent a great deal of malware.

Yes, that expectation should have been set with you up front.  One of the known limitations of these malware detonation services like Wildfire and FireEye is that they are susceptible to patient zero infections - the first will always get in.

I don't know if any inline service can do what you're looking for at this time, but a couple of alternatives are:

1. Create some scripts that utilize the API's of Wildfire to block access until an analysis has been made

2. Utilize an endpoint solution (e.g. Bit9) that allows you to block access to the file until Wildfire has scanned it

3. You may look to enhance your email scanning solution for one that incorporates this tech into the scanning of attachments (e.g. proofpoint)

Thank you, I believe I understand the Wildfire process however I think step 1 is where I'm getting tripped up. If the file is downloaded and passed to wildfire for analysis, this is fine for all files that are not malware, however if the file is determined to be malware by Wildfire it's too late, the file has already been downloaded and executed by the user.

You should look at Palo Alto Networks "Traps" endpoint protection.  There are additional tie-ins with WildFire to address this scenario. 

L1 Bithead

Thank you both for the replies, I will look into Traps as an additional endpoint solution.

Thanks,

Luke

  • 3994 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!