PA will not update malware signature from sample malware files (http://wildfire.paloaltonetworks.com/publicapi/test/apk)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA will not update malware signature from sample malware files (http://wildfire.paloaltonetworks.com/publicapi/test/apk)

L3 Networker

 the customer want to test  pa wilfire  feature .

my test step:

1: from http://wildfire.paloaltonetworks.com/publicapi/test/apk, download the sample malware.the traffice throught the pa

2: when we can find the  wildire log from firewall  and theck the log report ,know the  malware files sha256

------------------------------------------------

log: 33, filename: wildfire-test-apk-file.apk
processed 120151 seconds ago, action: upload success
vsys_id: 1, session_id: 47055, transaction_id: 5
file_len: 1434514, flag: 0x801c, file type: apk
threat id: 52108, user_id: 0, app_id: 109
from 192.168.5.31/50643 to 34.84.44.247/80
SHA256: 2751671b591b6969b09f8c032cd89e6ae83a5f3ec819c8b923c673a6286cbec3

------------------------------------------------------------------------------------------------------------

3:then wait 48 hours,we go to  threat db lookup the  sha256 value,but we don't find the sha256.

so I think that  PA will not update malware signature to antiivirus  from sample malware files(http://wildfire.paloaltonetworks.com/publicapi/test/apk).is true  ?

 

4 REPLIES 4

L3 Networker

step 4:

I set up a web server, put the malicious file (apk)on this web server, and then use another host to download the ake malicious file again through HTTP. The traffic passes through the pa firewall. Although the file has been recognized by the firewall's wilfarire function, I also waited 48 hours to update the AV feature library, but the firewall's threat protection does not recognize the malicious file, Therefore, I think PA does not update the signature of the sample to the AV feature library.

Cyber Elite
Cyber Elite

Hello,

It should show up in the firewall logs, but might not show in the portal since its a known test file and they might not log it.

 

Regards,

hi  Otakarklier:

  thanks you reply.

  It should show up in the firewall logs, -----which log ,threat log or wildfire log  ?

  when we do  test with step 4, the firewall don't block this malware files (apk) why ?

 

threatvault.pngwildfire analysis reprot.png

  • 2842 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!