PE stands for Portable Exectuble. Currently the only file types (exe and dll) supported by Wildfire. Check Point is trying to catch up with threat emulation...
I'd be happy to see Wildfire supporting office documents as well as pdf files.
Side note, it's always good to block unknown udp,tcp traffic
Yeah only scanning exe, dll and scr is a bit limited.
Will be more interresting the day Wildfire also supports pdf, java, flash and office-documents.
And for that matter become a bit more critic of whats malware and whats benign (I somewhat disagress with PaloAlto on whats benign and whats not in terms of that what Wildfire thinks is beningn I think should be classified as malware 🙂
Looks like you've had some fun taking a look at WildFire's detection logic. I wanted to take the opportunity to address some of your findings just to clarify some of the items presented:
1. Your first three tests use custom binaries that open reverse shells as the "malicious behavior". Opening a reverse shell that never connects to bind to a shell is not something that can really be used to detect malware. If you start a reverse shell without successfully binding, all it really looks like is an attempted TCP connection. Since all we see in the sandbox is a failed TCP connection, there is nothing useful here to call the sample malware. Furthermore, the IP address chosen by your application is in private address space. Calling programs malware when all they do is open a TCP socket on private address space would quickly lead to problems.
2. If your sample were to perform a reverse shell to an external IP and actually bind to a server listening for the shell, the Palo Alto Networks IPS would have caught that reverse shell and triggered a critical reverse shell alert. If you are blocking on IPS signatures, this shell would have also been blocked, preventing the interactive session from taking place.
3. In the final test, you take malware (which was confirmed as malware by WildFire), run it through pescrambler, and run it through WildFire again to see if we can detect it as malware. The test comes back benign, and you'll notice that one of the behaviors observed is that the sample crashed when loaded. This is because pescrambler corrupted the EXE making it unloadable. In fact if you run it in your own environment, it crashes immediately. The pescrambler tool looks like it hasn't been updated in some time, and in fact has an open issue (https://code.google.com/p/pescrambler/issues/detail?id=1) describing the fact that it corrupts EXEs. Given that the sample doesn't successfully run, I wouldn't call this a false negative. In fact, any static file obfuscator like pescrambler is more useful in evading AV signatures, and not in evading dynamic sandbox-based analysis tools like WildFire. Scrambling a PE file causes the file image to change, but once it's running, WildFire doesn't care whether the file was scrambled or not. WildFire is looking at the runtime behaviors of the sample as it runs in the sandbox, regardless of how the PE file was obfuscated.
Having said all that, WildFire will never catch 100% but it is a valuable addition to our threat prevention technology stack in catching malware that evades the other layers of defense. If you have any other findings you would like to bring to our attention, please let us know or you can also reach out to me directly.
Product Manager, Threat Prevention
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!