In addition to the Threat logs, use the victim IP address
to filter though the WildFire Submissions logs. The WildFire Submissions
logs contain information on files uploaded to the WildFire service
for analysis. Because spyware typically embeds itself covertly,
reviewing the WildFire Submissions logs tells you whether the victim
recently downloaded a suspicious file. The WildFire forensics report
displays information on the URL from which the file or .exe was
obtained, and the behavior of the content. It informs you if the
file is malicious, if it modified registry keys, read/wrote into
files, created new files, opened network communication channels,
caused application crashes, spawned processes, downloaded files,
or exhibited other malicious behavior. Use this information to determine
whether to block the application that caused the infection (web-browsing,
SMTP, FTP), make more stringent URL Filtering rules, or restrict some
applications/actions (for example, file downloads to specific user
groups).
If WildFire determines that a file is malicious, a new antivirus
signature is created within 24-48 hours and made available to you.
If you have a WildFire subscription, the signature is made available
within 30-60 minutes as part of the next WildFire signature update.
As soon as the Palo Alto Networks next-generation firewall has received
a signature for it, if your configuration is configured to block
malware, the file will be blocked and the information on the blocked
file will be visible in your threat logs. This process is tightly integrated
to protect you from this threat and stems the spread of malware
on your network.