This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA will not update malware signature from sample malware files (http://wildfire.paloaltonetworks.com/publicapi/test/apk)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA will not update malware signature from sample malware files (http://wildfire.paloaltonetworks.com/publicapi/test/apk)

Felixcao
L3 Networker

‎07-28-2021 08:20 AM

 the customer want to test  pa wilfire  feature .

my test step:

1: from http://wildfire.paloaltonetworks.com/publicapi/test/apk, download the sample malware.the traffice throught the pa

2: when we can find the  wildire log from firewall  and theck the log report ,know the  malware files sha256

------------------------------------------------

log: 33, filename: wildfire-test-apk-file.apk
processed 120151 seconds ago, action: upload success
vsys_id: 1, session_id: 47055, transaction_id: 5
file_len: 1434514, flag: 0x801c, file type: apk
threat id: 52108, user_id: 0, app_id: 109
from 192.168.5.31/50643 to 34.84.44.247/80
SHA256: 2751671b591b6969b09f8c032cd89e6ae83a5f3ec819c8b923c673a6286cbec3

------------------------------------------------------------------------------------------------------------

3:then wait 48 hours,we go to  threat db lookup the  sha256 value,but we don't find the sha256.

so I think that  PA will not update malware signature to antiivirus  from sample malware files(http://wildfire.paloaltonetworks.com/publicapi/test/apk).is true  ?

 

0 Likes Likes
4 REPLIES 4

Felixcao
L3 Networker

‎07-28-2021 08:32 AM

step 4:

I set up a web server, put the malicious file (apk)on this web server, and then use another host to download the ake malicious file again through HTTP. The traffic passes through the pa firewall. Although the file has been recognized by the firewall's wilfarire function, I also waited 48 hours to update the AV feature library, but the firewall's threat protection does not recognize the malicious file, Therefore, I think PA does not update the signature of the sample to the AV feature library.

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎07-28-2021 03:14 PM

Hello,

It should show up in the firewall logs, but might not show in the portal since its a known test file and they might not log it.

 

Regards,

0 Likes Likes

Felixcao
L3 Networker
In response to OtakarKlier

‎07-28-2021 07:51 PM

hi  Otakarklier:

  thanks you reply.

  It should show up in the firewall logs, -----which log ,threat log or wildfire log  ?

  when we do  test with step 4, the firewall don't block this malware files (apk) why ?

 

0 Likes Likes

Felixcao
L3 Networker
In response to Felixcao

‎07-28-2021 07:53 PM

threatvault.pngwildfire analysis reprot.png

0 Likes Likes
  • 2833 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks