Verdict Changes

You can now use the WildFire appliance to change a verdict for a sample. Verdict changes apply only to those samples submitted to the WildFire appliance, and the verdict for the same sample remains unchanged in the WildFire global cloud.
The WildFire private cloud content package is updated to reflect any verdict changes that you make (on the firewall, select
Device
Dynamic Updates
WF-Private
to enable WildFire private cloud content updates). When you change a sample verdict to malicious, the WildFire appliance generates a new signature to detect the malware and adds that signature to the WildFire private cloud content package. When you change a sample verdict to benign, the WildFire appliance removes the signature from the WildFire private cloud content package.
  • Change a sample verdict:
    admin@WF-500#
    submit wildfire local-verdict-change hash
    <sha256 hash>
    comment
    <comment>
    verdict
    <verdict>
    • hash
      —Provide the SHA-256 hash of the file for which you want to change the verdict.
    • verdict
      —Enter the new file verdict: 0 indicates a benign sample; 1 indicates malware; 2 indicates grayware, and 4 indicates phishing.
    • comment
      —Include a comment to describe the verdict change.
  • See samples with changed verdicts:
    admin@WF-500#
    show wildfire global local-verdict-change all |
    <sha256 hash>
    • all
      —See all samples with changed verdicts. The output includes the original verdict and the new verdict.
    • <sha256 hash>
      —Check a specific sample for a changed verdict. The output includes the original verdict and the new verdict.
  • Use the API to change a sample verdict:
    Make a request to the new resource
    submit/local-verdict-change
    and include the API key, the file hash, the new verdict you want to apply to the sample, and a descriptive comment of the change:
    curl -X POST -H "Content-Type: multipart/form-data" -F "apikey=apikey" -F "hash=sha-256-hash" -F "verdict=0" -F "comment=comment-for-verdict-change" "https://wf-500/publicapi/submit/local-verdict-change"
    Use the following parameters when changing a WildFire appliance verdict for a file:
    • apikey
      —Enter your API key.
    • hash
      —Provide the SHA-256 hash of the file for which you want to change the verdict.
    • verdict
      —Enter the new file verdict: 0 indicates a benign sample, 1 indicates malware, 2 indicates grayware, and 4 indicates phishing.
    • comment
      —Include a comment to describe the verdict change.
    The following XML response verifies a successful verdict change. Example:
    <wildfire> <body>verdict is changed (old verdict: 0, new verdict:1)</body> <headers/> </wildfire>
  • Use the API to see samples with changed verdicts:
    Make a request to the new resource
    get/verdicts/changed
    and include the API key and a start date for the query. Samples with changed verdicts from the specified start date to the present date is shown in this list:
    curl -F "apikey=apikey" -F "date=YYYY-MM-DD" "https://wf-500/publicapi/get/verdicts/changed"
    The
    verdict
    element value can be one of the following:
    • 0
      —benign
    • 1
      —malware
    • 2
      —grayware
    • 4
      —phishing
    The XML response contains the WildFire verdict along with the related hash values for each sample with changed
    verdicts within the specified time-frame. Example:
    <wildfire> <get-verdict-info> <sha256>afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc</sha256> <verdict>1</verdict> <md5>0e4e3c2d84a9bc726a50b3c91346fbb1</md5> </get-verdict-info> ........... <get-verdict-info> <sha256>9739eb4207fe251d40f05187cbfd16081f97b246ebcc6010660244a84a9391b0</sha256> <verdict>2</verdict> <md5>481e625e50211efcaf6edb8f54f8cf83</md5> </get-verdict-info> </wildfire>

Related Documentation