Override a WildFire Verdict

You can locally override a WildFire verdict to allow or block a file without impacting the official verdict in WildFire. This is useful when you need to create an exception for a specific file in only specific circumstances or endpoints without altering the global security policy. After overriding the verdict, the ESM Console displays any change in the WildFire verdict on the
Hash Control
page. The override remains in place until you remove it, at which time it reverts to the last known verdict on the server.
For example, consider a case where WildFire returns a verdict on a specific hash and indicates that the file is unknown. If your security policy is configured to block all unknown files and you believe the file to be benign, you can override the policy to allow the specific file to execute without altering the global policy. Later, if WildFire returns a new verdict indicating that the file was analyzed and determined to be malicious, you can view the verdict change on the
Hash Control
page. In that case, you can remove the override and allow the security policy to block the malicious file.
  1. From the ESM Console, select
    Policies
    Malware
    Hash Control
    .
  2. To view the WildFire verdict for a specific hash, do either of the following:
    • Use the search at the top of the page to search for a hash value or process name.
    • Use the paging controls on the top right of each page to view different portions of the table.
  3. To review the endpoints on which a user has tried to open the executable file, select
    Agent List
    (available only when there are five or more instances of a process hash).
  4. Review the WildFire report for the executable file to validate your decision to override the verdict. See View a WildFire Report.
  5. Select the hash record and then click
    Treat as Benign
    to allow the executable file to run or click
    Treat as Malware
    to block execution of the file. This override does not affect the official WildFire verdict but it does change the verdict in the local security policy for your organization. If you suspect a WildFire verdict is incorrect, please consider reporting the issue to Palo Alto Networks. See Report an Incorrect Verdict.
  6. On a regular basis, review any mismatches between the official WildFire verdict and your local policy action.
  7. When the override is no longer needed, remove it. From the action menu , select
    Revert to WildFire Verdict
    . The ESM Console reverts to the verdict last known by the ESM Server.

Recommended For You