Wildfire file exceptions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildfire file exceptions

L1 Bithead

Hey everyone, sorry if this was posted before and missed it in searching.

I am receiving an enormous number of alerts from Wildfire, due to an internal application that our desktop engineering created.  Its more or less is just an exe that creates short cuts to our internal HR portal, which Wildfire believes to be malware.

What I am looking for is a way that I can still continue to send up all PE files to Wildfire, but create an exception list of items that are known to be good, or can be flagged as benign like a trusted file.  I am sure that I will run across this more and more, as we do a lot of custom packaging in our environment.

Any help would be appreciated.

Thanks

Jeremy

1 accepted solution

Accepted Solutions

Here is what I ended up doing to fix my situation.

1. Created an Address Group for my app deployment servers that were deploying the app.

2. Created 2 security rules in the "Pre" device rules, 1 rule for the app deployment servers as a source and 2nd rule as the app deployment servers as the destinations.

3. Did not associate the rules to a File Blocking profile, so no files coming from these servers get forwarded to Wildfire.

This seems to be working like a charm, and no further alerts.

View solution in original post

3 REPLIES 3

L7 Applicator

HI,

Please collect  threat ID from the PA firewall logs, which is generated by the PA due to that EXE file and PA firewall believes as a malware.

1. Put that ID and search under "Exceptions" TAB

2.  Set appropriate action for it.

3. OK and commit the changes.

Example: Re: Adding Threat Exceptions

                  Still no way to set SPECIFIC threat exceptions???

                  Re: Threat exception for selected hosts

                 Do I Understand Profile Exceptions?

For more info about wildfire, please follow below mentioned document.

Threat Prevention Deployment Tech Note

Thanks

HULK thank you for the information.  From what I am seeing in the threat logs, the ID is unique to each exception, and cannot possibly capture each one in a single exception.  Can you provide a bit more detail on the Threat ID, to ensure I am looking at the right information?

Thanks

Here is what I ended up doing to fix my situation.

1. Created an Address Group for my app deployment servers that were deploying the app.

2. Created 2 security rules in the "Pre" device rules, 1 rule for the app deployment servers as a source and 2nd rule as the app deployment servers as the destinations.

3. Did not associate the rules to a File Blocking profile, so no files coming from these servers get forwarded to Wildfire.

This seems to be working like a charm, and no further alerts.

  • 1 accepted solution
  • 6433 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!