WildFire not Blocking File with 'malicious' Verdict

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

WildFire not Blocking File with 'malicious' Verdict

L2 Linker

Hi,

I am playing in lab with wildfire and i would like to drop file downloads that are analyzed by wildfire as malicious verdict.

I have configured the follwong wildfire submission profile.

 

i created a wildfire profile (copy of the default)

admin@PA-220# show
wildfire {
rules {
default {
application any;
file-type any;
direction both;
analysis public-cloud;
}
}
}

 

I also create an antivirus profile to have an action of reset both for wildfire.

 

"Antivirus - WildFire" {
decoder {
http {
action reset-both;
wildfire-action reset-both;
}
smtp {
action default;
wildfire-action alert;
}
imap {
action default;
wildfire-action alert;
}
pop3 {
action default;
wildfire-action alert;
}
ftp {
action reset-both;
wildfire-action reset-both;
}
smb {
action default;
wildfire-action alert;
}
}
}

 

I have created a security policy with these secuirty profiles attached bot the malware test file from palo alto over http is still going through.

 

"OUTBOUND ACCESS POLICY" {
to UNTRUST;
from TRUST;
source any;
destination any;
source-user any;
category any;
application any;
service any;
hip-profiles any;
action allow;
profile-setting {
profiles {
url-filtering home-filter;
virus "Antivirus - WildFire";
spyware strict;
vulnerability strict;
wildfire-analysis wildfire;
}
}
}

The verdict is malicous bot the action i allowed.

 

Schermafbeelding 2018-03-06 om 17.20.14.png

 

Can somebody tell me what is misconfigure on my end?

 

Kind regards,

 

Frederik.

2 accepted solutions

Accepted Solutions

L7 Applicator

There are a couple things that are incorrect.

 

The first thing is, you are assuming that a Malicious verdict from WildFire on a file, means instantaneous Antivirus coverage. Once WildFire determines a sample is malicious, it sends it to PAN-AV, which generates a signature for the sample. This signature is then stacked, and is released every 5 minutes. You have to actually fetch the WildFire-Virus database to the firewall through Dynamic Updates for it to have the signature to detect files matching its pattern.

 

The second thing, is you are assuming WildFire would create an AV signature for the WildFire PE file, and that's not true. The WildFire PE file is only meant to test the WildFire forwarding (uploading sample to WildFire) and receiving back a report from WildFire, but it does not send the WildFire PE file to PAN-AV, so a signature is never generated for it.

View solution in original post

Hi Mivaldi,

 

 

Tnx for the update and that explains a lot 🙂

 

 

View solution in original post

2 REPLIES 2

L7 Applicator

There are a couple things that are incorrect.

 

The first thing is, you are assuming that a Malicious verdict from WildFire on a file, means instantaneous Antivirus coverage. Once WildFire determines a sample is malicious, it sends it to PAN-AV, which generates a signature for the sample. This signature is then stacked, and is released every 5 minutes. You have to actually fetch the WildFire-Virus database to the firewall through Dynamic Updates for it to have the signature to detect files matching its pattern.

 

The second thing, is you are assuming WildFire would create an AV signature for the WildFire PE file, and that's not true. The WildFire PE file is only meant to test the WildFire forwarding (uploading sample to WildFire) and receiving back a report from WildFire, but it does not send the WildFire PE file to PAN-AV, so a signature is never generated for it.

Hi Mivaldi,

 

 

Tnx for the update and that explains a lot 🙂

 

 

  • 2 accepted solutions
  • 21680 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!