Signature Coverage for Samples

WildFire® generates signatures to identify newly-discovered malware and distributes these signatures to Palo Alto Networks® firewalls. The firewalls compare incoming traffic against WildFire signatures to protect against known malware. Now, when viewing details for a specific sample in AutoFocus™, you can find the WildFire signatures that the sample triggers. You can check signature coverage to assess the level of protection in place for malware.
  1. Perform an AutoFocus search and view the samples matched to your search.
  2. Select a specific sample hash to view sample details and then select
    Coverage
    :
    nf-coverage-tab.png
  3. Review the signatures that match the sample:
    nf-coverage-tab-details.png
    Depending on the sample, all or some of the following signature types provide coverage:
    1:
    WildFire AV Signatures
    —WildFire antivirus signatures identify malicious files. Examples of malware for which antivirus signatures provide protection include viruses, worms, Trojans, and spyware downloads.
    2:
    C2 Domain Signatures
    —Command and control (C2) domain signatures identify malicious domains that the sample attempted to resolve to when executed in the WildFire analysis environment.
    3:
    Download Domain Signatures
    —Download domain signatures identify domains that host malware (and from which the sample was downloaded).
    4:
    URLs
    —URLs the sample visited when executed in the WildFire analysis environment, and the PAN-DB categorization for each URL.
    5:
    Signature Dates and Content Versions
    —WildFire antivirus, C2 domain, and download domain signatures also include the following information:
    • Create Date
      —The date WildFire created the signatures (depending on the WildFire updates schedule configured on the firewall, the firewall could have retrieved this signature within 5 minutes of the creation date).
    • Content Versions
      —Signatures are packaged in content updates and made available for Palo Alto Networks firewalls to automatically download and install. The available content updates and the frequency the firewall can get the latest updates depend on the subscriptions you have.
    • Check the content versions which included the signature. The content versions vary depending on whether the signature was distributed as part of a
      daily
      ,
      15 min
      , or
      5 min
      signature update.
    • For example, if the firewall retrieves WildFire signatures as part of the daily Antivirus content updates, select
      daily
      to see the content version that included the signature. If the firewall has a WildFire license and gets WildFire 5-minute updates, select
      5 min
      to view the content version that included the signature.
    • Check the
      First
      content version that included the signature, and the
      Last
      content version to include an update to the signature.
    • Check whether the signature is included in the most
      Current
      content version.

Recommended For You