WildFire Question

Reply
Highlighted
Not applicable

WildFire Question

Have a question about the functionality of WildFire.  Here is the scenario (assume we have a WildFire subscription so we are getting updates every 30 minutes):

  1. User gets an email to download "file.exe" at 0800
  2. This hash does not match anything and is sent up to the cloud for analysis.
  3. Analysis confirms this file is / has malware - it has not seen this malware before so a new signature is generated - lets say for arguments sake it turns it around fast and is updated at 0830
  4. Another user comes in at 0900 and gets the same email with the same link to the same file and clicks the link ...

Will the PA stop that user from downloading that file?

Tags (2)

Accepted Solutions
Highlighted
L7 Applicator

Hello Mike,

PAN will check the hash of that file, hence not matter, what file name it is ( file.exe or file1.exe).

Few more info:

To verify, if any files have been forwarded to the server, enter the following command:

> show wildfire status

Connection info:

Wildfire cloud: default cloud

Status: Idle

Best server: va-s1.wildfire.paloaltonetworks.com

Device registered: yes

Service route IP address: 192.168.1.1

Signature verification: enable

Server selection: enable

Through a proxy: no

Forwarding info:

file size limit (MB): 2

file idle time out (second): 90

total file forwarded: 0 >>>>>>>>>

forwarding rate (per minute): 0

concurrent files: 0

The total file forwarded counter will provide the number of files being forwarded to the server. Data filtering logs can be used to check the status of the file. Here are the three actions available:

Action-1: Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status possibilities.

Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy. The PE file is buffered in the management plane.

If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). There will not be an entry in the WildFire Web portal for these files.

Thanks

View solution in original post


All Replies
Highlighted
L7 Applicator

Hello Mrsold,

Yes, PA should stop that user from downloading that file.

Few more info for your reference:-

WildFire >>>>>>> Page no 2 (How Does WildFire Work?)

The new signature will be distributed within 30-60 minutes to all Palo Alto Networks firewalls  equipped with a WildFire subscription, or the following day as part of the antivirus update for firewalls equipped  with a Threat Prevention subscription only.

NOTE: Continue or continue-and-forward, you can only choose the application web-browsing. If you choose any other application, traffic that matches the security policy will not flow through the firewall due to the fact that the users will not be prompted with a continue page.

Hope this helps.

Thanks

Highlighted
Not applicable

Thanks Hulk.

So I'm assuming the hash associated with "file.exe" is hashed and subsequently blocked by WildFire / Threat Prevention - obviously if that same malware were to be packaged in a different exe, say "file1.exe" the process would have to start over...

-Mike

Highlighted
L7 Applicator

Hello Mike,

PAN will check the hash of that file, hence not matter, what file name it is ( file.exe or file1.exe).

Few more info:

To verify, if any files have been forwarded to the server, enter the following command:

> show wildfire status

Connection info:

Wildfire cloud: default cloud

Status: Idle

Best server: va-s1.wildfire.paloaltonetworks.com

Device registered: yes

Service route IP address: 192.168.1.1

Signature verification: enable

Server selection: enable

Through a proxy: no

Forwarding info:

file size limit (MB): 2

file idle time out (second): 90

total file forwarded: 0 >>>>>>>>>

forwarding rate (per minute): 0

concurrent files: 0

The total file forwarded counter will provide the number of files being forwarded to the server. Data filtering logs can be used to check the status of the file. Here are the three actions available:

Action-1: Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status possibilities.

Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy. The PE file is buffered in the management plane.

If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). There will not be an entry in the WildFire Web portal for these files.

Thanks

View solution in original post

Highlighted
Not applicable

But doesn't the hash change if the file name changes?

Highlighted
L7 Applicator

Hello Mrsold,

PAN firewall will check the content of the file to calculate hash, not the file name. :smileyhappy: That is the reason, even if you will change the file name/extension still PAN firewall will be identify the same threat.

Thanks

Highlighted
L3 Networker

In the same context, can anybody explain this behavior:

I am sometimes receiving 3 WildFire analysis reports for exactly the same file, same URL the file is residing on, same source and destination, but 3 different hashes.

Thank you

Highlighted
L5 Sessionator

They're repacking their malware file so it avoids signature matching security engines?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!