cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Trouble differentiating between malware already seen by WildFire and malware 'first seen' by WildFire

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
r_gine
L1 Bithead
‎08-06-2015 08:45 AM
‎08-06-2015 08:45 AM

Trouble differentiating between malware already seen by WildFire and malware 'first seen' by WildFire

I'm having trouble determining which malware has already been seen by WildFire (therefore it was not re-sent for analysis and blocked by the FW) vs. a file that our organization sent to WF and was determined to be malicious after analysis (not seen before by WF) . This would significantly help our organization respond to malicious files that may have made it to internal systems (mail servers, desktop, etc). Right now, I go into the analysis report and look at the first seen date... I know there's a better way.

Thanks!

1 person had this problem.
Labels:
0 Likes
Reply
bmorris1
L4 Transporter
‎08-07-2015 01:49 PM
‎08-07-2015 01:49 PM

Hello r_gine,

If a file has already been seen by wildfire then it will show as wildfire skip in the log.

Ben

0 Likes
Reply
santonic
L5 Sessionator
‎08-10-2015 04:20 AM
‎08-10-2015 04:20 AM

In Data Filtering log:

- action 'wildfire-upload-success' means file was first seen by your device,

- action 'wildfire-upload-skip' means file was already known to WF

Yes, unfortunately you need to look in 2 log files to see if it was malicious and if you were first to see it.

0 Likes
Reply
mvidic
L2 Linker
‎08-18-2015 10:55 PM
‎08-18-2015 10:55 PM

In addition to what @santonic said, you should have a look at WildFire Submissions log. By default it will only display malicious files that were uploaded to the cloud, from which we can conclude that those files have not been previously seen by the WF cloud, were not blocked and made it through to your network.

You can also turn on option Device > Setup > Wildfire > Report benign files. With this option enabled Wildfire Submissions log wil also display Benign files which were uploaded to the cloud.

Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks