Advanced WildFire reproduces a variety of analysis environments,
including the operating system, to identify malicious behaviors
within samples. Depending on the characteristics and features of
the sample, multiple analysis environments may be used to determine
the nature of the file. Advanced WildFire uses static analysis with
machine learning to initially determine if known and variants of
known samples are malicious. Based on the initial verdict of the
submission, Advanced WildFire sends the unknown samples to analysis
environment(s) to inspect the file in greater detail by extracting
additional information and indicators from dynamic analysis. If
the file has been obfuscated using custom or open source methods, the
Advanced WildFire cloud decompresses and decrypts the file in-memory
within the dynamic analysis environment before analyzing it using
static analysis. During dynamic analysis, Advanced WildFire observes
the file as it would behave when executed within client systems
and looks for various signs of malicious activities, such as changes
to browser security settings, injection of code into other processes,
modification of files in operating system folders, or attempts by
the sample to access malicious domains. Additionally, PCAPs generated
during dynamic analysis in the Advanced WildFire cloud undergo deep
inspection and are used to create network activity profiles. Network
traffic profiles can detect known malware and previously unknown
malware using a one-to-many profile match.
The Advanced WildFire public cloud also analyzes files using
multiple versions of software to accurately identify malware that
target specific versions of client applications. The WildFire private
cloud does not support multi-version analysis, and does not analyze
application-specific files across multiple versions.