AutoFocus™ What's New Guide
    : Signature Coverage for Samples
    Focus
    Download PDF
    Focus
    1. Home
    2. AutoFocus
    3. AutoFocus™ What's New Guide
    4. AutoFocus Release History
    5. New Features: March 2016
    6. Signature Coverage for Samples
    Download PDF

    AutoFocus™ What's New Guide

    Signature Coverage for Samples

    Table of Contents

    Signature Coverage for Samples

    WildFire® generates signatures to identify newly-discovered malware and distributes these signatures to Palo Alto Networks® firewalls. The firewalls compare incoming traffic against WildFire signatures to protect against known malware. Now, when viewing details for a specific sample in AutoFocus™, you can find the WildFire signatures that the sample triggers. You can check signature coverage to assess the level of protection in place for malware.
    1. Perform an AutoFocus search and view the samples matched to your search.
    2. Select a specific sample hash to view sample details and then select
      Coverage
      :
    3. Review the signatures that match the sample:
      Depending on the sample, all or some of the following signature types provide coverage:
      1:
      WildFire AV Signatures
      —WildFire antivirus signatures identify malicious files. Examples of malware for which antivirus signatures provide protection include viruses, worms, Trojans, and spyware downloads.
      2:
      C2 Domain Signatures
      —Command and control (C2) domain signatures identify malicious domains that the sample attempted to resolve to when executed in the WildFire analysis environment.
      3:
      Download Domain Signatures
      —Download domain signatures identify domains that host malware (and from which the sample was downloaded).
      4:
      URLs
      —URLs the sample visited when executed in the WildFire analysis environment, and the PAN-DB categorization for each URL.
      5:
      Signature Dates and Content Versions
      —WildFire antivirus, C2 domain, and download domain signatures also include the following information:
      • Create Date
        —The date WildFire created the signatures (depending on the WildFire updates schedule configured on the firewall, the firewall could have retrieved this signature within 5 minutes of the creation date).
      • Content Versions
        —Signatures are packaged in content updates and made available for Palo Alto Networks firewalls to automatically download and install. The available content updates and the frequency the firewall can get the latest updates depend on the subscriptions you have.
      • Check the content versions which included the signature. The content versions vary depending on whether the signature was distributed as part of a
        daily
        ,
        15 min
        , or
        5 min
         signature update.
      • For example, if the firewall retrieves WildFire signatures as part of the daily Antivirus content updates, select
        daily
         to see the content version that included the signature. If the firewall has a WildFire license and gets WildFire 5-minute updates, select
        5 min
         to view the content version that included the signature.
      • Check the
        First
         content version that included the signature, and the
        Last
         content version to include an update to the signature.
      • Check whether the signature is included in the most
        Current
         content version.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.