Wildfire behaviour

Reply
jesuscano
L4 Transporter

Wildfire behaviour

We can not understand at all how Wildfire works.

 

We realised that WF detects files that have been downloaded and categorized as malware can continue to be downloaded for a long time, this behavior is not the expected, which indicates that once it is categorized as malware, the signatures are automatically updated in a short time and the next time it can no longer be downloaded.

We also do not understand how a file (being malicious) can be downloaded the first time.

 

Why WF detects a malware and this file can be still downloaded? why WF permits the first file to be downloaded to get veredict?

any document about how WF analysis works to solve this doubts? thank

BPry
Cyber Elite

@jesuscano

So just to start off, there's a whole lot here that can affect how effective WildFire is. There's a lot of local configuration that can determine whether or not the firewall actually has full visibility into the traffic, along with profile actions that need to all be configured correctly. So first things first, if it isn't work as you expect I would have someone like your SE or TAC look over your configuration and make sure you actually have everything setup properly.

 

We realised that WF detects files that have been downloaded and categorized as malware can continue to be downloaded for a long time, this behavior is not the expected, which indicates that once it is categorized as malware, the signatures are automatically updated in a short time and the next time it can no longer be downloaded.

A malicious verdict does not instantly mean coverage. When WildFire determines a sample is malicious it sends it for a signature, and then those signatures are stacked and released every minute. Your local firewall is only going to refresh these signatures as often as you've told it to under dynamic updates.

 

We also do not understand how a file (being malicious) can be downloaded the first time.

I'm going to assume that you're talking about a post download analysis verdict. When the download takes place the WildFire analysis profile you have assigned to the security rulebase entry allowing the traffic is going to upload it for analysis. If the WildFire sandbox find that file to be malicious, it retrieves the verdict and notes that in the logs. That simply means that it didn't match any of the WildFire signatures, so it was only known to be malicious once it was detonated in the sandbox environment.

 

This document does a fairly good job describing what actually happens.

https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-example.htm...

reaper
L7 Applicator

TL;DR  the WildFire profile only acts as a detector, it intercepts files and sends them to the cloud for analysis, any file received that passes a wildfire profile will have a report with it's threat level (benign, grey-, malware)

 

Enforcement happens through the AV profile: when files are scanned and detected to be malware, a signature is created that is sent via wildfire updates (and aggregated once every 24 hours into an AV content update). malware files can only be blocked if a signature exists in the AV engine to block it

 

if a 0day is received, the file is forwarded to wildfire and a minute (or longer) later, a signature is created to block it. That signature will immediately be available for download through wildfire dynamic updates, and later that day in the daily AV wrapup, so depending on your subscription you can have a signature in minutes, or within 24 hours. the original file, however, was already passed the firewall as at the time of receiving it, a signature was not available on your system to block it (via the AV profile)

 

 

hope this helps

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!