This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Question about threat logs - Type wildfire-virus

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question about threat logs - Type wildfire-virus

Hithead
L4 Transporter

‎08-19-2015 07:26 AM

Hi all,

 

just wondering why I see in our threat logs entries with the type wildfire-virus only for the application smtp...

 

(I would like to post some screenshots, but I cant find the upload button?)

 

 What is the type wildfire-virus standing for? And where can I enable it for other applications as well?

Labels:
4 REPLIES 4

prb
L3 Networker

‎08-20-2015 05:14 AM

Hi @Hithead,

 

wildfire-virus is a subtype used for wildfire signatures delivered using wildfire signature database, to differentiate from regular anti-virus signatures. 

In short,

AV signatures are identified using subtype virus.

Wildfire signatures are identified using subtype wildfire-virus.

 

Hope this helps.

 

Thank You.

 

Hithead
L4 Transporter
In response to prb

‎08-20-2015 05:24 AM

thank you very much vor your response.

 

But I'm still wondering, why I see wildfire-virus logs only in combination with smtp... I guess wildfire-virus should also track and identify threats on other protocols/applications as well...

 

 

0 Likes Likes

prb
L3 Networker
In response to Hithead

‎08-20-2015 05:47 AM

Hi @Hithead

 

Sure it should inspect traffic from other decoders as well.wildfire.JPG

 

Wildfire action is set using the highlighted column in anti-virus profile.

 

You might need to check lot of other factors -

1. What is the action for other decoders than smtp?

2. The policy to which the AV profile is applied. Does it process other kind of traffic?

3. If it does, do the other traffic actually carry any threat data? 

4. Do you have any exceptions applied under applications tab in the screenshot above?

Etc.

 

Thank You.

0 Likes Likes

Hithead
L4 Transporter
In response to prb

‎08-20-2015 06:32 AM

1. What is the action for other decoders than smtp?

Action: all block; WildFire Action: all block

 

2. The policy to which the AV profile is applied. Does it process other kind of traffic?

no diffrent AV profile is used between other rules. but the policy for smtp only allow smtp (app-default) traffic.

 

3. If it does, do the other traffic actually carry any threat data? 

threat data on other policies are there (except wildfire-virus)

 

4. Do you have any exceptions applied under applications tab in the screenshot above?

nope

0 Likes Likes
  • 7133 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks