For Prisma Access, this is usually included
with your Prisma Access license.
A Palo Alto Networks firewall configured with a WildFire analysis
profile forwards samples for Advanced WildFire analysis based on
file type (including email links). Additionally, the firewall decodes
files that have been encoded or compressed up to four times (such
as files in ZIP format); if the decoded file matches Advanced WildFire
Analysis profile criteria, the firewall forwards the decoded file
The Advanced WildFire analysis capabilities can also be enabled
on the firewall to provide inline antivirus protection. The Advanced
WildFire inline ML option present in the Antivirus profiles enables
the firewall dataplane to apply machine learning analysis on PE
and ELF files as well as PowerShell scripts in real-time. Each inline
ML model dynamically detects malicious files of a specific type
by evaluating file details, including decoder fields and patterns,
to formulate a high probability classification of a file. This protection
extends to currently unknown as well as future variants of threats
that match characteristics that Palo Alto Networks has identified
as malicious. To keep up with the latest changes in the threat landscape, inline
ML models are added or updated via content releases. See Advanced WildFire Inline ML for more
The Advanced WildFire cloud is also capable of analyzing certain
file types which are used as secondary payloads as part of multi-stage
PE, APK, and ELF malware packages. Analysis of secondary payloads
can provide additional coverage to disrupt sophisticated attacks
by advanced threats. These advanced threats operate by executing
code which activate additional malicious payloads, including those
designed to assist in the circumvention of security measures as
well as facilitate proliferation of the primary payload. Advanced
WildFire analyzes the multi-stage threats by processing them in
static and dynamic analysis environments. Files referenced by multi-stage
malware are treated independently during analysis; as a result,
verdicts and protections are delivered as soon as they finish for
each file. The overall verdict for the multi-stage file is determined
based on a threat assessment of malicious content found in all analyzed
stages of the attack. Any malicious content discovered during analysis
of the multi-stage file immediately marks the file as malicious.
Organizations with safe-handling procedures for malicious content
can manually submit password-protected samples using the RAR format through
the API or WildFire portal. When the Advanced WildFire cloud receives
a sample that has been encrypted using the password
the Advanced WildFire cloud decrypts and analyzes the archive file.
You can view the verdict and analysis results for the file in the
format that it was received, in this case, an archive.
While the firewall can forward all the file types listed below,
Advanced WildFire analysis support can vary depending on the Advanced
WildFire cloud to which you are submitted samples. Review Advanced
WildFire File Type Support to learn more.
File Types Supported
for WildFire Forwarding
Android Application Package (APK) files.
files contained within APK files are analyzed as part of the APK
Adobe Flash applets and Flash content embedded
in web pages.
Java applets (JAR/class files types).
Files used by Microsoft Office, including
documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), PowerPoint (PPT, PPTX)
presentations, and Office Open XML (OOXML) 2007+ documents. Internet
Query (IQY) and Symbolic Link (SLK) files are supported with content
Portable Executable (PE) files. PEs include
executable files, object code, DLLs, FON (fonts), and LNK files.
MSI files are supported with content version 8462. A subscription
is not required to forward PE files for WildFire analysis, but is required
for all other supported file types.
Portable Document Format (PDF) files.
Mach-O, DMG, and PKG files are supported
with content version 599. You can also manually or programmatically
submit all Mac OS X supported file types for analysis (including
application bundles, for which the firewall does not support automatic
Roshal Archive (RAR) and 7-Zip
(7z) archive files. Multi-volume archives are that are split into
several smaller files cannot be submitted for analysis.
RAR files encrypted with the password
decrypted and analyzed by the Advanced WildFire cloud.
the firewall is capable of forwarding supported files contained
within ZIP archives after it has been decoded, it cannot forward
complete ZIP files in its encoded state. If you want to submit complete
ZIP files, you can manually upload a ZIP file using the WildFire
portal or through the WildFire API.
Executable and Linkable Format
Various script files.
(JS), VBScript (VBS), and PowerShell Scripts (PS1) are supported
with content version 8101.
Batch (BAT) files are supported with content version 8168.
HTML Application (HTA) files are supported with content version