WildFire - What sort of hit rate do you see?

Reply
Highlighted
L4 Transporter

WildFire - What sort of hit rate do you see?

I enabled WildFire a month or so back.

I know it works as I download files regularly from the PAN "random wildfire test file" site and sure enough a little while later an alert pings in and it shows in the dashboard.

In production it seems that everything that my users download is either from trusted sources or has checksummed as clean - in theory this is a good thing and we are a corporate so I wouldn't expect people to be downloading "bad stuff", but I guess I almost expected to see a little more stuff being downloaded that would be sent to WildFire.

I wondered how everyone else finds the service and if there are any recommended ways to test it other than the Palo Alto test site?

Highlighted
L7 Applicator

I think you can trust that if the files all match the checksum they have been verified.

As a test you could create a brand new file and post this to a g-drive or dropbox then download it via your configured policies.  Since you created the file yourself from scratch it would not be in any of the wildfire previous scans.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
Not applicable

Last thursday one of our firewalls had 26 wildfire submissions that were determined to be malware - all coming in thru email.   That is probably a record, some days it is just a few.  Note these were all PE files.   Seeing as nobody should really be getting executables thru email I decided to block them which means less work for me.  However, I also would still like to send them off to wildfire if possible so if they are bad it will help out all the other palo users,  I just posted a question on how to do that if possible in these forums.

It is really interesting to go to the virus total link and see how many of the top av products have detected what wildfire finds - it seems most of the av products take a few days to detect something after wildfire has detected it for me.  Not to mention I might then see 3 or 4 variants with the same file name but different md5.

It will be interesting once I add office docs and pdf files into the mix - just testing them now.  I would be curious how many people using wildfire detect malware infected office and pdf docs.

Highlighted
L4 Transporter

That makes sense in our case Mike - we don't use wildfire on inbound email but we quarantine anything executable at the gateway.

I may try enabling wildfire on our inbound SMTP rule as that should catch some nasties.. :smileyhappy:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!