>
    Strata Copilot
    File Handling and Analysis in Advanced WildFire
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Browser
    3. First-Party Integrations
    4. File Handling and Analysis in Advanced WildFire
    Download PDF
    Prisma Browser

    File Handling and Analysis in Advanced WildFire

    Table of Contents

    File Handling and Analysis in Advanced WildFire

    How to Manage WildFire
    Advanced WildFire is a cloud-delivered malware analysis service that uses a tiered approach to file inspection. This design prioritizes both strong security controls and optimal performance, especially in terms of latency

    File Size Thresholds and Reputation Checks

    Wildfire is also able to scan documents via the Prisma Access Browser Extension (PABX).
    Advanced WildFire evaluates all submitted files against a maximum size threshold of 300 MB
    • Files over 300 MB
      • These files bypass reputation-based scanning and never enter the WildFire knowledge base.
      • The system applies the fall back policy rule configured by the administrator, which determines whether to enable (permissive) or block (protective) the file.
    • Files 300 MB or smaller
      • WildFire checks the file's hash against the reputation database.
        • If the reputation database indicates that the file is benign, then the system enables it.
        • If the reputation database indicates that the file is malicious, then the system blocks it.
      • For files 20 MB or smaller, the browser waits for a Static Analysis verdict before proceeding. This step mitigates security risks while minimizing end-user latency.
      • For unknown files between 20 MB and 300 MB, the system defers to the administrator’s fall back policy rule to determine access, as waiting for analysis results could degrade performance.

    Dynamic Analysis of Unknown Files

    The system submits all unknown files under 300 MB to Dynamic Analysis, which executes the files in a controlled environment to detect advanced threats. Although this enhances the accuracy of the WildFire reputation database, Dynamic Analysis currently does not support file quarantine-a capability planned for a future release.
    By integrating multiple analysis layers, Advanced WildFire enables organizations to maintain robust security while minimizing disruption to end users.

    Password-Protected File Handling

    Advanced WildFire attempts to scan password-protected files using a brute-force unlocking mechanism, subject to format compatibility and defined limitations.

    Supported File Types for Brute-Force Unlocking

    The brute-force process supports the following password-protected formats:
    • .rar archive files
    • .pdf document files
    • Microsoft Office files (2007 or later), including
      • .docx
      • .xlsx
      • .pptx
    The system blocks scanning for password-protected files that fall outside of these formats under all circumstances.
    Brute Force Failure Handling
    If the brute-force attempt fails to unlock the file:
    • The file won't be scanned.
    • The returned scan verdict will be "Unknown."
      • This ‘Unknown’ status is currently treated as benign, enabling the file to pass without further inspection.

    Administrator-Defined Fallbacks

    You can set your own fallback policy rule when one of the following events occurs:
    • File size exceeded
    • Connection error or service unavailable
    • Unsupported file type
    In all of these cases, you can decide whether to treat the file as Benign and enable it, or as Malicious and block it.

    Supported File Types

    Supported File Types
    ExtensionFile TypeExtensionFile Type
    .7z7zip Archive.pptxMicrosoft PowerPoint Document
    .swfAdobe Flash File.slkMicrosoft Symbolic Link
    .apkAndroid APK.iqyMicrosoft Web query
    .dexAndroid DEX.bat.docMicrosoft Word 97-2003 Document
    .bzbzip2 archive.docxMicrosoft Word Document
    .csvcomma separated values.odsOpenDocument Spreadsheet Document
    .dllDLL/DLL64.odfOpen~Document Text Document
    .elfELF.pdfPortable Document Format
    .gzGzip archive.exePE/PE64
    .htaHTML application.plPerl script
    .isoISO.pngPortable Network Graphics
    .classJAVA class.ps1PowerShell
    .jarJAVA jar.pyPython Script
    .js/.jse/.wsfJavascript/Scipt.papRAR Archive
    .jpgJoint Photographic Experts Group.rtfRich Text Format
    .elinkLink.shShell Script
    .machoMach-o.tarTAR Archive
    .pkgmacOS App Installer.vbs/.vbeVBScript
    .zbundlemacOS App Bundle in ZIP Archive.msiWindows Installer Package
    .fatmacOS Universal Binary File.InlWindows Link File
    .dmgmacOS Disk Image.wsfWindows Script
    .xlsMicrosoft Excel 97-2003.zipZIP Archive
    .xlsxMicrosoft Excel.aspActive Server Pages
    .oneMicrosoft One Note Document.aspxActive Server Packages Extended
    .pptMicrosoft PowerePoint 97-2003.xml Extensible Markup Language
    .htmlHyperText Markup Language
    Nested Archives are supported in zip, rar, 7z, bzip2, iso, gz, tar, vhd, docx, pptx, xlsx, jar.

    Known Limitations Wildfire and Prisma Browser Extension

    The following files cannot be scanned:
    • Local files opened directly in the browser (e.g., file:// paths).
    • Full page saves (Ctrl+S / Cmd+S) cannot be intercepted.
    • Certain browser-internal URLs (extension blobs, untrusted contexts, null-origin blobs).
    • Domains excluded via configuration are skipped entirely.
    Only the Advanced Wildfire scanning provider is supported. Other providers configured in the policy are silently skipped -- the file transfer proceeds without scanning.
    Policy Effects Not Yet Supported
    The following effects are configured in policy but not yet enforced. In all cases, the transfer is blocked rather than applying the intended effect:
    EffectApplies to
    Allow ProtectedDownloads
    Save to Organizational StorageDownloads
    EncryptDownloads and Uploads
    Non-encrypt (allow only non-encrypted)Uploads
    Policy Options Not Yet Supported
    The following interactive options are not yet implemented. When configured, the transfer is blocked instead:
    • Bypass ("Proceed Anyway")
    • Bypass with reason ("Require Reason")
    • MFA challenge
    • Admin approval (downloads only)
    • Content filters / DLP pattern inspection
    Metadata Filters
    Filter Status
    File sizeSupported
    File type / extensionSupported
    File HashNot currently supported
    Upload-Specific Limitations
    • Folders dragged and dropped - are not scanned. There are silently allowed.
    • Folder upload via directory picker is not intercepted.
    • File path and file type may not always be identifiable
    Download-Specific Limitations
    • When the file cannot be fetched for scanning or a mismatch is detected between the scanned copy and the actual download, the download currently proceeds unscanned
    • File size may briefly display as 0 during scanning
    • A long-running scan on a download that opened in a new tab may delay the tab from closing

    © 2026 Palo Alto Networks, Inc. All rights reserved.