What's the difference between antivirus signatures and WildFire signatures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What's the difference between antivirus signatures and WildFire signatures

L0 Member

Hi,

I'm trying to understand the difference between the antivirus signatures and WildFire signatures. To my understanding, antivirus signatures identify known malicious files based on the signatures in the antivirus database.

 

1- But what signatures does the WildFire database contain? are they signatures to identify supported file types that can be forwarded to the cloud or the private appliance? or are they signatures of newly identified malicious files that will eventually make it to the antivirus database?

2- and if they are signatures of newly identified malicious files, then why aren't they included in antivirus signatures database instead?

3- and why is the WildFire database file size relatively large, approximately 10% of the antivirus database file size?

 

Thanks,
Riad.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

 

sort of 😉 

WildFire content packages are about 8MB whereas AV packages are 101MB, but WildFire relies heavily on cloud connectivity:

AV uses signatures (markers in the payload) to identify threats directly in a flow whereas WildFire relies mostly on file hashes to see if a file was already processed by the online sandbox. If the verdict is already known (file already seen and inspected), the file can be let through or blocked based on the verdict. if the file has not been seen before wildfire will spring into action with some inline ML scanning of the file and uploading it to the sandbox for deeper analysis

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

1. wildfire offers faster identification of malicious files. many of the wildfire signatures will make it into the AV database, but those are released once or twice daily usually

2. because AV is not updates (once or twice daily) as frequently as wildfire (live)

3. because wildfire is also cloud connected and provides coverage for 0days whereas AV has a large database of currently active threats in the wild

 

the big difference between wildfire and AV is that WF protects against 0day and AV protects against all known active threats

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for your reply Tom.

Would it be fair to say that Antivirus signatures work against HTTP, HTTP2, FTP, SMB, and email protocols (POP3, IMAP, SMTP), where WildFire signatures work over a much larger set of App-IDs, which is why WildFire databases are relatively large? 

Thanks,
Riad.

Cyber Elite
Cyber Elite

 

sort of 😉 

WildFire content packages are about 8MB whereas AV packages are 101MB, but WildFire relies heavily on cloud connectivity:

AV uses signatures (markers in the payload) to identify threats directly in a flow whereas WildFire relies mostly on file hashes to see if a file was already processed by the online sandbox. If the verdict is already known (file already seen and inspected), the file can be let through or blocked based on the verdict. if the file has not been seen before wildfire will spring into action with some inline ML scanning of the file and uploading it to the sandbox for deeper analysis

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4179 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!