Verdict "malicious" and action "allow"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Verdict "malicious" and action "allow"

L4 Transporter

Hi team

We are detecting some files with Verdict "malicious" and action "allow"

Alpalo_0-1715594709155.png

Can anybody help us for change the action or other solution?

Regards

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

WildFire log?

If you click on the magnifying glass, WildFire Analysis Report tab then what does "First Seen Timestamp" show?

WildFire will pass through the malicious file on first instance it sees the file and when verdict comes back from the sandbox it will show if verdict was benign or not. So in those cases you need to analyze workstation to check if it got infected.

 

Starting from 11.0.2 there is new feature "Hold Mode for WildFire Real-Time Signature Lookup"

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/wildfire-features/hold-mode-for-wi...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

WildFire log?

If you click on the magnifying glass, WildFire Analysis Report tab then what does "First Seen Timestamp" show?

WildFire will pass through the malicious file on first instance it sees the file and when verdict comes back from the sandbox it will show if verdict was benign or not. So in those cases you need to analyze workstation to check if it got infected.

 

Starting from 11.0.2 there is new feature "Hold Mode for WildFire Real-Time Signature Lookup"

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/wildfire-features/hold-mode-for-wi...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

We have wildfire real-time configured and the action is reset-both but we are seeing that the first time the veredict is benign, one the signature is created the veredict changes to malicious but the result keeps being "allow", Is that correct? Is there any way to block this malicious files?

Community Team Member

Hi @JuanMAbellan ,

 

This is expected.  Please check into the feature Hold Mode for WildFire Real-Time Signature Lookup as mentioned by @Raido_Rattameister .

With this feature you can prevent the initial transfer of known malware.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1 accepted solution
  • 1526 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!