Transition Antivirus Profiles Safely to Best Practices
Apply Antivirus profiles to allow rules to protect against
viruses and malware without risking application availability.
The following guidance helps determine whether to start with block or alert actions
when you clone the default Antivirus profile and modify it to define the
initial profiles and begin the transition to best practice profiles.
Antivirus requires an Advanced Threat Prevention or active legacy Threat Prevention
To identify and prevent threats,
the firewall must have visibility into application traffic. Decrypt as much traffic
as local regulations, business considerations, privacy considerations,
and technical ability allow. If you don’t decrypt traffic, the firewall
can’t analyze encrypted headers and payload information.
addition, follow Threats Content Update best
practices to ensure that your Security profile signatures are up
—Set the initial action to alert to ensure
application availability. However, in some situations you can block Antivirus
signatures from the start. For example, when you’re already protecting similar
applications with an Antivirus profile and you’re confident the profile meets
your business and security needs, you can use a similar profile to protect
similar applications because you already understand what you’re blocking.
The alert action enables you to analyze Threat logs (
) and create exceptions when necessary before moving to a
block action. Alerting and monitoring before moving to blocking gives you
The profile won’t block business-critical applications when you
You create necessary exceptions as you transition to the blocking
state to maintain application availability.
Keep the length of time you maintain the initial alert action to a minimum to
reduce the chance of a security incident. Transition to the best practice
state as soon as you’re comfortable you’ve identified any exceptions you
need to make and configure the profile accordingly.
Critical and high severity signatures
—It’s safe to deploy best practices Antivirus profiles to
block malicious traffic for applications that aren’t critical to your business
right away because false positive rates are rare, so unnecessary blocking rarely
If you treat internal applications differently than external applications, you might need an
Antivirus profile for internet-facing traffic and another Antivirus profile for
Enable real-time signature lookup globally on the device and in the Antivirus
profile to hold files until the firewall receives the latest real-time antivirus
signature from the cloud:
Holding files to ensure that WildFire gets the latest antivirus signatures
protects you from zero-day malware and outdated antivirus signatures that you
might be exposed to if you forward files without holding them for the latest
WildFire Action settings in the Antivirus profile might impact traffic if the traffic generates a
WildFire signature that results in a reset or drop action.
When you have the initial profiles in place, monitor the Threat logs for enough time to gain
confidence that you understand whether any business-critical applications cause alerts
or blocks. Also monitor the WildFire Submissions logs (
) for enough time to gain confidence that you understand whether any
business-critical applications cause alerts or blocks due to the Antivirus profile
WildFire Action. Create exceptions (open a support ticket if necessary) in each profile
as needed to remediate any confirmed false positives before you implement full
best-practice Antivirus profiles. The speed of your transition to best practices
profiles depends on your business, applications, and comfort level—be aware that some
applications are only used weekly, monthly, quarterly, or yearly for audits, periodic
events and meetings, etc.