WildFire® Analysis Concepts
The following sections describe the analysis concepts used by Wildfire®.
XDRsends unknown samples for in-depth analysis to WildFire. WildFire accepts up to 1,000,000 sample uploads per day and up to 1,000,000 verdict queries per day from each Cortex XDR tenant. The daily limit resets at 23:59:00 UTC. Uploads that exceed the sample limit are queued for analysis after the limit resets. WildFire also limits sample sizes to 100MB. For more information, see the WildFire documentation.
For samples that the
XDRagent reports, the agent first checks its local cache of hashes to determine if it has an existing verdict for that sample. If the
XDRagent does not have a local verdict, the
XDRto determine if WildFire has previously analyzed the sample. If the sample is identified as malware, it is blocked. If the sample remains unknown after comparing it against existing WildFire signatures,
XDRforwards the sample for WildFire analysis.
File Type Analysis
XDRagent analyzes files based on the type of file, regardless of the file’s extension. For deep inspection and analysis, you can also configure your
XDRto forward samples to WildFire. A sample can be:
- Any Portable Executable (PE) file including (but not limited to):
- Executable files
- Object code
- FON (Fonts)
- Microsoft Windows screensaver (.scr) files
- Microsoft Office files containing macros opened in Microsoft Word (winword.exe) and Microsoft Excel (excel.exe):
- Microsoft Office 2003 to Office 2016—.doc and .xls
- Microsoft Office 2010 and later releases—.docm, .docx, .xlsm, and .xlsx
- Dynamic-link library file including (but not limited to):
- .dll files
- .ocx files
- Android application package (APK) files
- Mach-o files
- DMG files
- Linux (ELF) files
WildFire delivers verdicts to identify samples it analyzes as safe, malicious, or unwanted (grayware is considered obtrusive but not malicious):
- Unknown—Initial verdict for a sample for which WildFire has received but has not analyzed.
- Benign—The sample is safe and does not exhibit malicious behavior. If Low Confidence is indicated for the Benign verdict,CortexXDRcan treat this hash as if the verdict is unknown and further run Local Analysis to get a verdict with higher confidence.
- Malware—The sample is malware and poses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, botnets, and malicious macros. For files identified as malware, WildFire generates and distributes a signature to prevent against future exposure to the threat.
- Grayware—The sample does not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs).
When WildFire is not available or integration is disabled, the
XDRagent can also assign a local verdict for the sample using additional methods of evaluation: When the
XDRagent performs local analysis on a file, it uses pattern-matching rules and machine learning to determine the verdict. The
XDRagent can also compare the signer of a file with a local list of trusted signers to determine whether a file is malicious:
- Local analysis verdicts:
- Benign—Local analysis determined the sample is safe and does not exhibit malicious behavior.
- Malware—The sample is malware and poses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, botnets, and malicious macros.
- Trusted signer verdicts:
- Trusted—The sample is signed by a trusted signer.
- Not Trusted—The sample is not signed by a trusted signer.
Local Verdict Cache
XDRagent stores hashes and the corresponding verdicts for all files that attempt to run on the endpoint inits local cache. The local cache scales in size to accommodate the number of unique executable files opened on the endpoint. On Windows endpoints, the cache is stored in the
C:\ProgramData\Cyvera\LocalSystemfolder on the endpoint. When service protection is enabled (see Add a New Agent Settings Profile), the local cache is accessible only by the
XDRagent and cannot be changed.
Each time a file attempts to run, the
XDRagent performs a lookup in its local cache to determine if a verdict already exists. If known, the verdict is either the official WildFire verdict or manually set as a hash exception. Hash exceptions take precedence over any additional verdict analysis.
If the file is unknown in the local cache, the
XDRfor the verdict. If
XDRreceives a verdict request for a file that was already analyzed,
XDRimmediately responds to the
XDRagent with the verdict.
XDRdoes not have a verdict for the file, it queries WildFire and optionally submits the file for analysis. While the
XDRagent attempts waits for an official WildFire verdict, it can use File Analysis and Protection Flow to evaluate the file. After
XDRreceives the verdict it responds to the
XDRagent that requested the verdict.
Recommended For You
Recommended videos not found.