The Samples tab in the AutoFocus search editor displays all samples that match the conditions of the search. Click the column headers for the sample details to sort samples in ascending (up arrow) or descending (down arrow) order. By default, the most recently detected samples are displayed. You can choose to view only My Samples, only Public Samples, or All Samples. All Samples includes both public and private samples; however, private samples submitted by firewalls or sample sources other than those associated with your support account display with an obfuscated hash.
Set a default scope for search results to choose which samples are displayed immediately when you launch a search. Navigate to the AutoFocus portal
Settingsand select a
Preferred Scope. You must click
Save changesto save the new default scope.
To examine Sample Details, click the sample hash:
Lists the sample details and properties. The nested WildFire Dynamic Analysis section describes the sample’s observed behavior and lists each activity the sample performed when executed in the WildFire analysis environment. You can view sample details that WildFire detected in environments running different operating systems.
Select a method of viewing the WildFire dynamic analysis of the sample:
In Sequence and Tree view, you can see the activities that occurred in the operating system
Lists the tags the sample is associated with, and you can also add a new tag. (For details on tags and how tagging works, see AutoFocus Tags).
Make a sample
Publicto share the sample with other AutoFocus security experts. You can also revert the status of the sample to
Privateat any time.
Lists all sessions during which samples with the same SHA256 hash were detected. The sessions displayed are all WildFire sessions submitted from your Palo Alto Networks firewall or another Upload Source associated with your support account. Select a single session for session details. Click the
File Analysistab to navigate back to the sample details.
Lists the WildFire signatures that match to the sample. Check signature coverage to assess the level of protection in place against malware. Depending on the sample, all or some of the following signature types provide coverage:
For each of these signature types, the date that WildFire created the signature is listed. You can toggle between daily, 15 minute, and 5 minute content updates to see the versions that included the signature. The first content version that included the signature is listed, as well as the last content version to include an update to the signature. The table also indicates whether a signature is included in the most current content version.
Lists Threat Indicators that AutoFocus detected in the sample’s WildFire analysis details. The list consists of only artifacts that AutoFocus considers indicators based on the tendency of the artifact to be seen predominantly in malware samples. AutoFocus uses a statistical algorithm to determine which artifacts are indicators.
Report as Incorrect
Click the link to submit the sample to Palo Alto Networks threat team if you have any reason to believe the verdict is a false positive or a false negative. The threat team performs additional analysis on the sample to determine and verify the verdict.
Expand the Observed Behavior section to find the total number of activities that are Evidence of a specific behavior. Each behavior has an associated risk level, and you can expand a single behavior to see the matching sample activities. For each activity listed, the Type column indicates the activitycategory and the Value column includes activity artifacts, that you can then add to a search.
Expand an activity section to see all of the sample activities that fall under it. For each activity artifact, the total number times the artifact has been found with benign ( ), grayware ( ), and malware ( ) samples is listed.
Depending on the artifact, you can:
If an artifact is evidence of an observed behavior, the behavior risk level is indicated with this icon:
A gray icon indicates a low risk behavior, a yellow icon indicates a medium risk behavior, and a red icon indicates the artifact is evidence of a critical, and high-risk behavior.