12-31-2013 12:46 PM
Hopefully a quick question - is there any way to determine whether a executable has been blocked because it was a Wildfire derived signature (for paying customers). It may be obvious when it happens, but hard to know if it has etc.
Would like to be able to correlate the protection afforded by the service by providing a discrete count of executables blocked, and report them seperately from 'normal' AV blocks.
Thanks
12-31-2013 01:32 PM
Can you please try querying for (subtype eq wildfire) in the threat logs
12-31-2013 04:27 PM
Hi APackard,
Or you can go for an ID between 3 and 4 million in a report. Remembering that WildFire signatures will end up in the regular AV ID range (between 2 and 3 million - well 299999 to be precise) once processed for customers with a threat license.
Good Luck!
01-02-2014 12:05 AM
Please take a look into PAN 5.0.10 fixes:
57763—When WildFire Action was configured as "default(Block)" in Antivirus profile,
block action didn't take effect as the default action was not configured internally. The
workaround is to configure WildFire Action as "Block" instead of "default(Block)".
Probalby your device didn't block any of the file...
Regards
SLawek
01-08-2014 08:37 AM
Thanks all, I'll check these out once I've got enough historical data with a 'paid-for' WildFire service to validate the results.
One other related question - is there, or is there a plan, to annotate the WildFire report with an attribute (or similar) as to the resultant signature e.g. if I logon to my portal and check a report after a couple of hours it'll tell me which WildFire update will protect against a repeat download?
Thanks
01-08-2014 09:25 AM
Hello Apackard,
As soon as the threat is identified in wildfire with the subscription license in place on device and automatic scheduled updates are set ( lets say an hour ) then the firewall would get the new wildfire version in the next hour. Now any further attempt of such threat traffic on the device it is logged in Wildfire logs and Threat logs. A simple search for threats in the range ( 3 to 4 million ) would give the results of the new threats being controlled.
The same threat will be pushed in next day updates through Antivirus content for other users who do not have wildfire license. Now from here on no more of the wildfire threat logs would be seen as from now it would be filed as antivirus threat.
Hope this helps !
Thanks
09-26-2014 09:45 AM
James@PANW wrote:
Hi APackard,
Or you can go for an ID between 3 and 4 million in a report. Remembering that WildFire signatures will end up in the regular AV ID range (between 2 and 3 million - well 299999 to be precise) once processed for customers with a threat license.
Good Luck!
Just for clarification on my part. A threat ID'd by WildFire in the 3mil+ range is changed to a regular threat value after it's rolled into the standard 24-hour update?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
