- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-18-2014 06:12 AM
Have a question about the functionality of WildFire. Here is the scenario (assume we have a WildFire subscription so we are getting updates every 30 minutes):
Will the PA stop that user from downloading that file?
06-18-2014 08:58 AM
Hello Mike,
PAN will check the hash of that file, hence not matter, what file name it is ( file.exe or file1.exe).
Few more info:
To verify, if any files have been forwarded to the server, enter the following command:
> show wildfire status
Connection info:
Wildfire cloud: default cloud
Status: Idle
Best server: va-s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 192.168.1.1
Signature verification: enable
Server selection: enable
Through a proxy: no
Forwarding info:
file size limit (MB): 2
file idle time out (second): 90
total file forwarded: 0 >>>>>>>>>
forwarding rate (per minute): 0
concurrent files: 0
The total file forwarded counter will provide the number of files being forwarded to the server. Data filtering logs can be used to check the status of the file. Here are the three actions available:
Action-1: Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status possibilities.
Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy. The PE file is buffered in the management plane.
If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). There will not be an entry in the WildFire Web portal for these files.
Thanks
06-18-2014 07:37 AM
Hello Mrsold,
Yes, PA should stop that user from downloading that file.
Few more info for your reference:-
WildFire >>>>>>> Page no 2 (How Does WildFire Work?)
The new signature will be distributed within 30-60 minutes to all Palo Alto Networks firewalls equipped with a WildFire subscription, or the following day as part of the antivirus update for firewalls equipped with a Threat Prevention subscription only.
NOTE: Continue or continue-and-forward, you can only choose the application web-browsing. If you choose any other application, traffic that matches the security policy will not flow through the firewall due to the fact that the users will not be prompted with a continue page.
Hope this helps.
Thanks
06-18-2014 08:38 AM
Thanks Hulk.
So I'm assuming the hash associated with "file.exe" is hashed and subsequently blocked by WildFire / Threat Prevention - obviously if that same malware were to be packaged in a different exe, say "file1.exe" the process would have to start over...
-Mike
06-18-2014 08:58 AM
Hello Mike,
PAN will check the hash of that file, hence not matter, what file name it is ( file.exe or file1.exe).
Few more info:
To verify, if any files have been forwarded to the server, enter the following command:
> show wildfire status
Connection info:
Wildfire cloud: default cloud
Status: Idle
Best server: va-s1.wildfire.paloaltonetworks.com
Device registered: yes
Service route IP address: 192.168.1.1
Signature verification: enable
Server selection: enable
Through a proxy: no
Forwarding info:
file size limit (MB): 2
file idle time out (second): 90
total file forwarded: 0 >>>>>>>>>
forwarding rate (per minute): 0
concurrent files: 0
The total file forwarded counter will provide the number of files being forwarded to the server. Data filtering logs can be used to check the status of the file. Here are the three actions available:
Action-1: Forward but no wildfire-upload-success or wildfire-upload-skip, means the file is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. Below is an explanation of the different status possibilities.
Forward - Data plane detected a PE (Potentially Executable) file on a WildFire-enabled policy. The PE file is buffered in the management plane.
If only forward is displayed for a specific file, it is either signed by a trusted file signer, or it is a benign sample that the cloud has already seen. In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information is sent for previously seen benign files). There will not be an entry in the WildFire Web portal for these files.
Thanks
06-18-2014 09:18 AM
But doesn't the hash change if the file name changes?
06-18-2014 09:41 AM
Hello Mrsold,
PAN firewall will check the content of the file to calculate hash, not the file name. That is the reason, even if you will change the file name/extension still PAN firewall will be identify the same threat.
Thanks
10-08-2014 09:02 AM
In the same context, can anybody explain this behavior:
I am sometimes receiving 3 WildFire analysis reports for exactly the same file, same URL the file is residing on, same source and destination, but 3 different hashes.
Thank you
10-22-2014 03:57 AM
They're repacking their malware file so it avoids signature matching security engines?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!