01-13-2021 02:54 PM
So just to start off, there's a whole lot here that can affect how effective WildFire is. There's a lot of local configuration that can determine whether or not the firewall actually has full visibility into the traffic, along with profile actions that need to all be configured correctly. So first things first, if it isn't work as you expect I would have someone like your SE or TAC look over your configuration and make sure you actually have everything setup properly.
We realised that WF detects files that have been downloaded and categorized as malware can continue to be downloaded for a long time, this behavior is not the expected, which indicates that once it is categorized as malware, the signatures are automatically updated in a short time and the next time it can no longer be downloaded.
A malicious verdict does not instantly mean coverage. When WildFire determines a sample is malicious it sends it for a signature, and then those signatures are stacked and released every minute. Your local firewall is only going to refresh these signatures as often as you've told it to under dynamic updates.
We also do not understand how a file (being malicious) can be downloaded the first time.
I'm going to assume that you're talking about a post download analysis verdict. When the download takes place the WildFire analysis profile you have assigned to the security rulebase entry allowing the traffic is going to upload it for analysis. If the WildFire sandbox find that file to be malicious, it retrieves the verdict and notes that in the logs. That simply means that it didn't match any of the WildFire signatures, so it was only known to be malicious once it was detonated in the sandbox environment.
This document does a fairly good job describing what actually happens.
