File Analysis
Focus
Focus
Advanced WildFire

File Analysis

Table of Contents

File Analysis

Where Can I Use This?
What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series
  • CN-Series
  • Advanced WildFire License
    For
    Prisma Access
    , this is usually included with your
    Prisma Access
    license.
A Palo Alto Networks firewall configured with a WildFire analysis profile forwards samples for Advanced WildFire analysis based on file type (including email links). Additionally, the firewall decodes files that have been encoded or compressed up to four times (such as files in ZIP format); if the decoded file matches Advanced WildFire Analysis profile criteria, the firewall forwards the decoded file for analysis.
The Advanced WildFire analysis capabilities can also be enabled on the firewall to provide inline antivirus protection. The Advanced WildFire inline ML option present in the Antivirus profiles enables the firewall dataplane to apply machine learning analysis on PE and ELF files as well as PowerShell scripts in real-time. Each inline ML model dynamically detects malicious files of a specific type by evaluating file details, including decoder fields and patterns, to formulate a high probability classification of a file. This protection extends to currently unknown as well as future variants of threats that match characteristics that Palo Alto Networks has identified as malicious. To keep up with the latest changes in the threat landscape, inline ML models are added or updated via content releases. See Advanced WildFire Inline ML for more information.
The Advanced WildFire cloud is also capable of analyzing certain file types which are used as secondary payloads as part of multi-stage PE, APK, and ELF malware packages. Analysis of secondary payloads can provide additional coverage to disrupt sophisticated attacks by advanced threats. These advanced threats operate by executing code which activate additional malicious payloads, including those designed to assist in the circumvention of security measures as well as facilitate proliferation of the primary payload. Advanced WildFire analyzes the multi-stage threats by processing them in static and dynamic analysis environments. Files referenced by multi-stage malware are treated independently during analysis; as a result, verdicts and protections are delivered as soon as they finish for each file. The overall verdict for the multi-stage file is determined based on a threat assessment of malicious content found in all analyzed stages of the attack. Any malicious content discovered during analysis of the multi-stage file immediately marks the file as malicious.
Organizations with safe-handling procedures for malicious content can manually submit password-protected samples using the RAR format through the API or WildFire portal. When the Advanced WildFire cloud receives a sample that has been encrypted using the password
infected
or
virus
, the Advanced WildFire cloud decrypts and analyzes the archive file. You can view the verdict and analysis results for the file in the format that it was received, in this case, an archive.
While the firewall can forward all the file types listed below, Advanced WildFire analysis support can vary depending on the Advanced WildFire cloud to which you are submitted samples. Review Advanced WildFire File Type Support to learn more.
File Types Supported for WildFire Forwarding
Description
apk
Android Application Package (APK) files.
DEX files contained within APK files are analyzed as part of the APK file analysis.
flash
Adobe Flash applets and Flash content embedded in web pages.
jar
Java applets (JAR/class files types).
ms-office
Files used by Microsoft Office, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), PowerPoint (PPT, PPTX) presentations, and Office Open XML (OOXML) 2007+ documents. Internet Query (IQY) and Symbolic Link (SLK) files are supported with content version 8462.
pe
Portable Executable (PE) files. PEs include executable files, object code, DLLs, FON (fonts), and LNK files. MSI files are supported with content version 8462. A subscription is not required to forward PE files for WildFire analysis, but is required for all other supported file types.
pdf
Portable Document Format (PDF) files.
MacOSX
Mach-O, DMG, and PKG files are supported with content version 599. You can also manually or programmatically submit all Mac OS X supported file types for analysis (including application bundles, for which the firewall does not support automatic forwarding).
email-link
HTTP/HTTPS links contained in SMTP and POP3 email messages. See Email Link Analysis.
archive
Roshal Archive (RAR) and 7-Zip (7z) archive files. Multi-volume archives are that are split into several smaller files cannot be submitted for analysis.
Only RAR files encrypted with the password
infected
or
virus
are decrypted and analyzed by the Advanced WildFire cloud.
While the firewall is capable of forwarding supported files contained within ZIP archives after it has been decoded, it cannot forward complete ZIP files in its encoded state. If you want to submit complete ZIP files, you can manually upload a ZIP file using the WildFire portal or through the WildFire API.
linux
Executable and Linkable Format (ELF) files.
script
Various script files.
  • Jscript (JS), VBScript (VBS), and PowerShell Scripts (PS1) are supported with content version 8101.
  • Batch (BAT) files are supported with content version 8168.
  • HTML Application (HTA) files are supported with content version 8229.

Recommended For You