Trouble differentiating between malware already seen by WildFire and malware 'first seen' by WildFire

Reply
Highlighted
L1 Bithead

Trouble differentiating between malware already seen by WildFire and malware 'first seen' by WildFire

I'm having trouble determining which malware has already been seen by WildFire (therefore it was not re-sent for analysis and blocked by the FW) vs. a file that our organization sent to WF and was determined to be malicious after analysis (not seen before by WF) . This would significantly help our organization respond to malicious files that may have made it to internal systems (mail servers, desktop, etc). Right now, I go into the analysis report and look at the first seen date... I know there's a better way.

Thanks!

Highlighted
L4 Transporter

Hello r_gine,

If a file has already been seen by wildfire then it will show as wildfire skip in the log.

Ben

Highlighted
L5 Sessionator

In Data Filtering log:

- action 'wildfire-upload-success' means file was first seen by your device,

- action 'wildfire-upload-skip' means file was already known to WF

Yes, unfortunately you need to look in 2 log files to see if it was malicious and if you were first to see it.

Highlighted
L2 Linker

In addition to what @santonic said, you should have a look at WildFire Submissions log. By default it will only display malicious files that were uploaded to the cloud, from which we can conclude that those files have not been previously seen by the WF cloud, were not blocked and made it through to your network.

You can also turn on option Device > Setup > Wildfire > Report benign files. With this option enabled Wildfire Submissions log wil also display Benign files which were uploaded to the cloud.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!