Advanced WildFire Support for Intelligent Run-time Memory Analysis

Advanced WildFire is a new subscription offering available on NGFWs operating PAN-OS 10.0 and later that provides access to Intelligent Run-time Memory Analysis: a cloud-based advanced analysis engine that complements existing static, and dynamic analysis engines, to detect and prevent evasive malware threats. Advanced threats rely on techniques such as environmental checks and obfuscation to bypass detection; additionally, they often display signs of bespoke design with ephemeral behaviors that lead to fast-dissemination throughout the network, after an attack has been initiated. By leveraging a cloud-based detection infrastructure, Intelligent Run-time Memory Analysis detection engines operate a wide array of detection mechanisms to target these highly-evasive malware. To keep up with the latest threats, Advanced WildFire analysis engines are updated and deployed automatically, without requiring the user to download content update packages or run resource intensive, appliance-based analyzers.

Intelligent Run-time Memory Analysis relies on the existing WildFire analysis profile settings and does not require any additional configuration; it is only necessary to install the new Advanced WildFire license on your preferred NGFW platform. Samples that display or otherwise indicate evasive and/or advanced malware qualities are automatically forwarded to the appropriate analysis environments. Samples that receive a verdict with a high level of certainty using other analysis platforms may forego Advanced WildFire analysis. The resulting sample analysis details can be further examined by reviewing the WildFire analysis reports, which show a detailed account of what was discovered.

Intelligent Run-time Memory Analysis...

• supports PE sample analysis.
• is not currently available in the WildFire EU and U.S. Government clouds.

1. Log in to the PAN-OS web interface.
2. To take advantage of Intelligent Run-time Memory Analysis, you must have an active Advanced WildFire subscription on your NGFW. For more information, refer to: Licensing, Registration, and Activation.

   To verify subscriptions for which you have currently-active licenses, select DeviceLicenses and verify that the appropriate licenses are available and have not expired.

   If your current WildFire license has expired, you must first remove the license from the NGFW before installing the Advanced WildFire license.
3. Verify that you have configured PAN-OS to Forward Files for WildFire Analysis.
4. Download a malicious PE test file to verify that the file is forwarded for WildFire analysis, and view the analysis results.
5. View WildFire submissions logs for forwarded samples. Samples analyzed using Intelligent Run-time Memory Analysis analysis (Advanced WildFire) have an additional selectable VM category under the Dynamic Analysis heading labeled Advanced WildFire that displays the analysis details and supporting evidences for how a verdict conclusion was reached.