Malware Protection Policy Best Practices

• Enable WildFire integration to allow Traps to evaluate files based on their WildFire verdicts. WildFire integration is automatically enabled in the default policy. Therefore, if you need to create new WildFire rules, ensure that WildFire Activation is On. See Configure a WildFire Rule.
• Blockthe execution ofmalware. The easiest way to prevent malware from causing harm to your endpoints is to block its execution. To do this, the Action in the WildFire policy for executable, DLL, and Microsoft Office files (containing macros) must be set to Prevention. Because the default policy configures this setting, we recommend that you leave the default setting, or if you need to create new rules, configure each rule to inherit the action from the preceding rule in the hierarchy. If all user-defined rules inherit the action from the previous rule in the rule hierarchy, the rules will inherit the definition from the default policy. See Configure a WildFire Rule.
• Enable Traps to submit unknown files to the ESM Server and enable the ESM Server to send those samples to WildFire for analysis. By submitting the samples, you take advantage of advanced WildFire threat intelligence which enables analysis and identification of zero-day malware. WildFire also makes information about newly-discovered files available globally to other ESMs (upon query) and to Palo Alto Networks firewalls (within minutes). This enables you and other Palo Alto Networks customers to transform unknown samples to known samples thus reducing the time spent determining the nature of the unknown file. Because the default policy configures this setting, no additional action is required to enable this functionality. However, if you need to create new rules, ensure that you configure the Unknown Verdict Configuration to block unknown executables and enable Traps agents to Upload Files for WildFire Analysis. See Set Up the ESM to Communicate with WildFire.
• Enable Traps to perform Local analysis on unknown files to determine if they are likely to be malware. Local analysis uses a statistical model that was developed using machine learning on WildFire threat intelligence. When enabled, local analysis uses the model to issue a local verdict for the file. Traps simultaneously queries the ESM Server for a verdict for the unknown file but can use the local analysis verdict until the ESM Server responds with either an official WildFire verdict or administrative hash control policy. Because the default policy configures this setting, no additional action is required to enable this functionality. However, if you need to create new rules, ensure that you enable local analysis. See Configure a WildFire Rule.
• Enable automated content update. Each content update packages the latest Palo Alto Networks threat intelligence into a default security policy file. The content update can include changes to the list of trusted signers, local analysis model, compatibility rules, and default rule configuration settings. By enabling automated content updates, you can ensure that your endpoints automatically take advantage of this threat intelligence. See Content Updates.