Wildfire feedback

Reply
alliance
Not applicable

Wildfire feedback

Hello all,

As many of you guys, we have downloaded and installed the latest version of PAN OS - 4.1.0

Do you have by any chance first feedbacks about the new wildfire feature ?

Although the configuration is pretty straight & easy, we notice some strange behaviours:

For example, a EXE file is seen as a virus (Trojan/Win32.autohk.bd) by the threat prevention. However, when this very same file is sent to wildfire, and after a short analysis, this file is noted as "benign".

Do other people notice the same thing ?

Moreover, can we find somewhere a documentation about the meaning of all counters shown in the "show wildfire statistics" ?

For example, "FWD_CNT_LOCAL_FILE", etc.

We'll be happy to hear about your first feedbacks about this new feature.

Regards,

mharding
L4 Transporter

The short answer would be files moving on the wire look different once they are on the system and running. I'm guessing Wildfire allows Palo Alto to bridge the gap between false positives and the real deal in their signatures.

migration
L0 Member

I have yet to download and install 4.1, but it was my understanding that Wildfire was not on by default... Is that correct?

alliance
Not applicable


Umphmahardingu > Do you mean that if Wildfire ran the EXE and found the file as "begnin" and if the Threat Prevention of PAN device based on signatures considered the EXE as a trojan, the reality is that the EXE is indeed a trojan but harmless for hosts ? In other words in this particular case, does it mean that the trojan detected by the threat prevention is a false positive one... ?

prince.mcdonald > It is correct: You have to configure first a file blocking profile with the action "forward" or "continue-and-forward' (if you want the drive-by-download feature as well). Then, you will apply this FB profile on the FW rules.

Regards,

tettema
L3 Networker

There are several reasons that a file caught by an AV signature might not

be categorized as malicious by WildFire.  WildFire does not use

signatures, but instead actually runs the sample in a virtual sandbox and

analyzes its behavior for potentially malicious actions.  It is possible

that the actions performed by the sample were not by themselves

sufficiently malicious for WildFire to automatically call it malware,

whereas the sample may have also been analyzed manually by the AV

community, which labeled it a virus based on a variety of factors.  For

example, virus signatures are often created for "potentially unwanted"

software that might not perform blatantly malicious actions by itself.  It

is also possible that the AV signature hit is a false positive.  Feel free

to send samples of suspected false positives or false negatives our way

for analysis.

Using Palo Alto Networks in-line antivirus protection together with

WildFire behavioral analysis provides a layered defense-in-depth approach

to protecting networks from the modern malware threat.

tettema
L3 Networker

Correct. To allow your device to use WildFire, you need to create or edit

a file blocking profile by setting an action of "forward" or

"continue-and-forward" for Portable Executable (PE) files types, and apply

this profile to a security policy that matches the traffic you wish to

analyze (inbound Internet traffic, typically).  You can also manually

upload files for analysis through your web browser at the WildFire web

portal (wildfire.paloaltonetworks.com) by clicking the Upload button.

fcellini
Not applicable

Wich kind of policy do you use? from "outside or untrust" any to "inside or trust" any etc... with profile file blocking with a file blocking policy who check exe and dll files, in direction download or both direction with action continue and forward?

mikand
L6 Presenter

Speaking of wildfire... I assume that "bening" means that "file ok"?

Because I have manually uploaded a file thats anything but "bening" but wildfire still draws the conclusion that the file is bening (even if the report detected that the file tries to drop stuff at c:\sample.exe and modify registry and other kind of dirty work).

Is there perhaps some document who better describes why wildfire thinks stuff is bening while it obviously isnt (at least from my point of view ;-) ?

bradenmcg
L3 Networker

http://en.wiktionary.org/wiki/benign

Presumably the wildfire system isn't as thorough as you are assuming.  Plus, just because an exe tries to create another exe in c:\ doesn't necessarily mean it is bad - this is effectively what installers do.

tettema
L3 Networker

WildFire categorizes files as "benign" or "malicious" based on analysis of actions the sample performs as it runs in a virtualized environment.  This system is very effective at finding previously unknown "zero-day malware", but it can never be 100% fool proof.  It is possible for malware to not perform anything overtly malicious while it is under analysis.  It is also possible for the behaviors performed by the malware to not be sufficiently malicious for WildFire to label it malware.  If you have a sample you think should be categorized as malware but was categorized as benign, feel free to send it our way and we'll take a look.  We are constantly adding behaviors for WildFire to look for in order to correctly categorize malware.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!