11-09-2011 07:41 AM
Hello all,
As many of you guys, we have downloaded and installed the latest version of PAN OS - 4.1.0
Do you have by any chance first feedbacks about the new wildfire feature ?
Although the configuration is pretty straight & easy, we notice some strange behaviours:
For example, a EXE file is seen as a virus (Trojan/Win32.autohk.bd) by the threat prevention. However, when this very same file is sent to wildfire, and after a short analysis, this file is noted as "benign".
Do other people notice the same thing ?
Moreover, can we find somewhere a documentation about the meaning of all counters shown in the "show wildfire statistics" ?
For example, "FWD_CNT_LOCAL_FILE", etc.
We'll be happy to hear about your first feedbacks about this new feature.
Regards,
11-09-2011 09:51 AM
The short answer would be files moving on the wire look different once they are on the system and running. I'm guessing Wildfire allows Palo Alto to bridge the gap between false positives and the real deal in their signatures.
11-09-2011 10:40 AM
I have yet to download and install 4.1, but it was my understanding that Wildfire was not on by default... Is that correct?
11-09-2011 11:49 AM
Umphmahardingu > Do you mean that if Wildfire ran the EXE and found the file as "begnin" and if the Threat Prevention of PAN device based on signatures considered the EXE as a trojan, the reality is that the EXE is indeed a trojan but harmless for hosts ? In other words in this particular case, does it mean that the trojan detected by the threat prevention is a false positive one... ?
prince.mcdonald > It is correct: You have to configure first a file blocking profile with the action "forward" or "continue-and-forward' (if you want the drive-by-download feature as well). Then, you will apply this FB profile on the FW rules.
Regards,
11-09-2011 11:53 AM
There are several reasons that a file caught by an AV signature might not
be categorized as malicious by WildFire. WildFire does not use
signatures, but instead actually runs the sample in a virtual sandbox and
analyzes its behavior for potentially malicious actions. It is possible
that the actions performed by the sample were not by themselves
sufficiently malicious for WildFire to automatically call it malware,
whereas the sample may have also been analyzed manually by the AV
community, which labeled it a virus based on a variety of factors. For
example, virus signatures are often created for "potentially unwanted"
software that might not perform blatantly malicious actions by itself. It
is also possible that the AV signature hit is a false positive. Feel free
to send samples of suspected false positives or false negatives our way
for analysis.
Using Palo Alto Networks in-line antivirus protection together with
WildFire behavioral analysis provides a layered defense-in-depth approach
to protecting networks from the modern malware threat.
11-09-2011 11:53 AM
Correct. To allow your device to use WildFire, you need to create or edit
a file blocking profile by setting an action of "forward" or
"continue-and-forward" for Portable Executable (PE) files types, and apply
this profile to a security policy that matches the traffic you wish to
analyze (inbound Internet traffic, typically). You can also manually
upload files for analysis through your web browser at the WildFire web
portal (wildfire.paloaltonetworks.com) by clicking the Upload button.
01-10-2012 12:54 PM
Wich kind of policy do you use? from "outside or untrust" any to "inside or trust" any etc... with profile file blocking with a file blocking policy who check exe and dll files, in direction download or both direction with action continue and forward?
01-10-2012 02:18 PM
Speaking of wildfire... I assume that "bening" means that "file ok"?
Because I have manually uploaded a file thats anything but "bening" but wildfire still draws the conclusion that the file is bening (even if the report detected that the file tries to drop stuff at c:\sample.exe and modify registry and other kind of dirty work).
Is there perhaps some document who better describes why wildfire thinks stuff is bening while it obviously isnt (at least from my point of view 😉 ?
01-10-2012 02:41 PM
http://en.wiktionary.org/wiki/benign
Presumably the wildfire system isn't as thorough as you are assuming. Plus, just because an exe tries to create another exe in c:\ doesn't necessarily mean it is bad - this is effectively what installers do.
01-10-2012 02:48 PM
WildFire categorizes files as "benign" or "malicious" based on analysis of actions the sample performs as it runs in a virtualized environment. This system is very effective at finding previously unknown "zero-day malware", but it can never be 100% fool proof. It is possible for malware to not perform anything overtly malicious while it is under analysis. It is also possible for the behaviors performed by the malware to not be sufficiently malicious for WildFire to label it malware. If you have a sample you think should be categorized as malware but was categorized as benign, feel free to send it our way and we'll take a look. We are constantly adding behaviors for WildFire to look for in order to correctly categorize malware.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
