You can locally override a WildFire verdict
to allow or block a file without impacting the official verdict
in WildFire. This is useful when you need to create an exception
for a specific file in only specific circumstances or endpoints without
altering the global security policy. After overriding the verdict,
the ESM Console displays any change in the WildFire verdict on the
page. The override remains in place until you
remove it, at which time it reverts to the last known verdict on
For example, consider a case where WildFire returns
a verdict on a specific hash and indicates that the file is unknown.
If your security policy is configured to block all unknown files
and you believe the file to be benign, you can override the policy
to allow the specific file to execute without altering the global
policy. Later, if WildFire returns a new verdict indicating that
the file was analyzed and determined to be malicious, you can view
the verdict change on the
In that case, you can remove the override and allow the security policy
to block the malicious file.
From the ESM Console, select
To view the WildFire verdict for a specific hash, do
either of the following:
Use the search at the top of the page to search
for a hash value or process name.
Use the paging controls on the top right of each page to
view different portions of the table.
To review the endpoints on which a user has tried to
open the executable file, select
only when there are five or more instances of a process hash).
Review the WildFire report for the executable file to
validate your decision to override the verdict. See View
a WildFire Report.
Select the hash record and then click
to allow the executable file to run or click
to block execution of the file. This override
does not affect the official WildFire verdict but it does change
the verdict in the local security policy for your organization.
If you suspect a WildFire verdict is incorrect, please consider reporting
the issue to Palo Alto Networks. See Report
an Incorrect Verdict.
On a regular basis, review any mismatches between the
official WildFire verdict and your local policy action.
When the override is no longer needed, remove it. From
the action menu
to WildFire Verdict
. The ESM Console reverts to the
verdict last known by the ESM Server.