Signature Coverage for Samples
Table of Contents
Expand all | Collapse all
-
- New Features October 2020
- New Features September 2020
- New Features: August 2020
- New Features: April 2020
- New Features: November 2019
- New Features: May 2019
- New Features: March 2019
- New Features: February 2019
- New Features: November 2018
- New Features: October 2018
- New Features: September 2018
- New Features: August 2018
- New Features: July 2018
- New Features: June 2018
Signature Coverage for Samples
WildFire® generates signatures to identify
newly-discovered malware and distributes these signatures to Palo
Alto Networks® firewalls. The firewalls compare incoming traffic
against WildFire signatures to protect against known malware. Now,
when viewing details for a specific sample in AutoFocus™, you can
find the WildFire signatures that the sample triggers. You can check
signature coverage to assess the level of protection in place for
malware.
- Perform an AutoFocus search and view the samples matched to your search.
- Select a specific sample hash to view sample details and then selectCoverage:
- Review the signatures that match the sample:Depending on the sample, all or some of the following signature types provide coverage:1:WildFire AV Signatures—WildFire antivirus signatures identify malicious files. Examples of malware for which antivirus signatures provide protection include viruses, worms, Trojans, and spyware downloads.2:C2 Domain Signatures—Command and control (C2) domain signatures identify malicious domains that the sample attempted to resolve to when executed in the WildFire analysis environment.3:Download Domain Signatures—Download domain signatures identify domains that host malware (and from which the sample was downloaded).4:URLs—URLs the sample visited when executed in the WildFire analysis environment, and the PAN-DB categorization for each URL.5:Signature Dates and Content Versions—WildFire antivirus, C2 domain, and download domain signatures also include the following information:
- Create Date—The date WildFire created the signatures (depending on the WildFire updates schedule configured on the firewall, the firewall could have retrieved this signature within 5 minutes of the creation date).
- Content Versions—Signatures are packaged in content updates and made available for Palo Alto Networks firewalls to automatically download and install. The available content updates and the frequency the firewall can get the latest updates depend on the subscriptions you have.
- Check the content versions which included the signature. The content versions vary depending on whether the signature was distributed as part of adaily,15 min, or5 minsignature update.
- For example, if the firewall retrieves WildFire signatures as part of the daily Antivirus content updates, selectdailyto see the content version that included the signature. If the firewall has a WildFire license and gets WildFire 5-minute updates, select5 minto view the content version that included the signature.
- Check theFirstcontent version that included the signature, and theLastcontent version to include an update to the signature.
- Check whether the signature is included in the mostCurrentcontent version.