02-23-2016 05:55 AM
For every wildfire-virus signature tripped in Threat logs should I expect to recieve a corresponding wildfire report in the Wildfire Submissions too?
Could someone answer or point me to documentation please.
02-23-2016 08:11 AM - edited 02-23-2016 08:19 AM
@lewis in the threat log if you're seeing "wildfire-virus" as a type, I don't think you're gonna see a submission report. That log type just means, as I understand it, that somewhere in the "WildFire network" the communications stream/file was seen and was determined to be malicious. So that signature was added at somepoint to the threat subscription you have.
So it wasn't necessarily a WildFire submission in your environment which created the original signiture and as such you wouldn't see a report.
"WildFire—Provides near real-time malware and antivirus signatures created as a result of the analysis done by the WildFire cloud service. Without the subscription, you must wait 24 to 48 hours for the signatures to roll into the Applications and Threat update"
Under the "Threat Logs" this describes the log
"wildfire—A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malicious, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.
wildfire-virus—Virus detected via an Antivirus profile."
So yeah one will have the report, one won't.
02-23-2016 10:06 AM
I guess what is confusing for me is when we have wf submissions and a wildfire-virus signature is available we typically see a 1:1 corrilation. But earlier today I noticed we had about 200 wildfire-virus signatures tripped in the threat logs but no wf submissions related to these.
02-23-2016 12:16 PM
Hi Lewis and Brandon,
Brandon is correct. Let me clarify it a bit more: wildfire-virus in threat logs means that threat was identified with a signature that is coming from your Wildfire updates. This signature was created based on a submission to the cloud of the file where it received verdict "malicious", that triggered two actions: sending back report to the device that submitted it, and creating a signature to be distributed to all those who enjoy benefits of the Wildfire subscription. File could have been uploaded by anyone, you will get Wildfire report only if you were submitter.
Regular "virus" as a sub-type means definition was found in AV updates, "wildfire-virus" means definition is found in Wildfire updates. Those databases are not the same, Wildfire subscribers should get signature in less than an hour, usually under half an hour or even sooner from the private cloud (WF-500, appliance with local sandboxing).
If you check your Wildfire Submissions log, and file isn't there, than you didn't submit it, someone else did. If you have Autofocus subscription, you can use sha256 of that file (or some other details to search by) and still learn plenty of details that would otherwise be available only in Wildfire Report and for original submitter. Those are anonymised from the submitter perspective, you will not have insight into attacked party, just into attacker's information, but that is all what matters anyhow.
Some intelligence comes from thirt party or their submitters chose not to share details of reports, so not all files can be checked in Autofocus but plenty can be found and more details on the particular threat learned. This is very handy for those that need extended information on threat landscape, IMHO.
Hope this sheds some more light onto your question and that I still helped a bit 🙂
02-26-2016 05:30 AM
Thanks Lucky. I understand what you are saying but I guess I am just seeing a bunch of inconsistencies. What I am observing is related to malicious smtp traffic. In my screenshots below you will see IP 22.214.171.124 in the wf submission log and a corresponding wf-virus signature in the threat log as there happens to be wf-virus sig in this case. Which has been what we have grown to expect since using wf. Also in the screenshots you will see IP 126.96.36.199 in the threat log tripping wf-virus signatures but no wf-submissions. I am fine with no wf report if a wf-virus is tripped but just the inconsistency is what has me puzzled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!