Traps Endpoint Security Manager Administrator's Guide
    : Override a WildFire Verdict
    Focus
    Focus
    1. Home
    2. Traps
    3. Traps Endpoint Security Manager Administrator's Guide
    4. Malware Protection
    5. Manage Hashes for Files
    6. Override a WildFire Verdict

    Traps Endpoint Security Manager Administrator's Guide

    Override a WildFire Verdict

    Table of Contents

    Override a WildFire Verdict

    You can locally override a WildFire verdict to allow or block a file without impacting the official verdict in WildFire. This is useful when you need to create an exception for a specific file in only specific circumstances or endpoints without altering the global security policy. After overriding the verdict, the ESM Console displays any change in the WildFire verdict on the Hash Control page. The override remains in place until you remove it, at which time it reverts to the last known verdict on the server.
    For example, consider a case where WildFire returns a verdict on a specific hash and indicates that the file is unknown. If your security policy is configured to block all unknown files and you believe the file to be benign, you can override the policy to allow the specific file to execute without altering the global policy. Later, if WildFire returns a new verdict indicating that the file was analyzed and determined to be malicious, you can view the verdict change on the Hash Control page. In that case, you can remove the override and allow the security policy to block the malicious file.
    1. From the ESM Console, select PoliciesMalwareHash Control.
    2. To view the WildFire verdict for a specific hash, do either of the following:
      • Use the search at the top of the page to search for a hash value or process name.
      • Use the paging controls on the top right of each page to view different portions of the table.
    3. To review the endpoints on which a user has tried to open the executable file, select Agent List (available only when there are five or more instances of a process hash).
    4. Review the WildFire report for the executable file to validate your decision to override the verdict. See View a WildFire Report.
    5. Select the hash record and then click Treat as Benign to allow the executable file to run or click Treat as Malware to block execution of the file. This override does not affect the official WildFire verdict but it does change the verdict in the local security policy for your organization. If you suspect a WildFire verdict is incorrect, please consider reporting the issue to Palo Alto Networks. See Report an Incorrect Verdict.
    6. On a regular basis, review any mismatches between the official WildFire verdict and your local policy action.
    7. When the override is no longer needed, remove it. From the action menu
      , select Revert to WildFire Verdict. The ESM Console reverts to the verdict last known by the ESM Server.

    © 2024 Palo Alto Networks, Inc. All rights reserved.