ESM Forwarding

The Endpoint Security Manager (ESM) forwards unknown samples for in-depth analysis to the WildFire. You can integrate your ESM environment with either the WildFire public cloud or a local WF-500 that acts as a local sandbox. The type of samples the ESM submits and frequency at which the ESM communicates with WildFire is determined by the WildFire settings and rules that you configure (see Set Up the ESM to Communicate with WildFire and Configure a WildFire Rule).
For samples that Traps reports, the agent first checks its local cache of hashes to determine if it has an existing verdict for that sample. If Traps does not have a local verdict, Traps queries the ESM to determine if WildFire has previously analyzed the sample. If the sample is identified as malware, it is blocked. If the sample remains unknown after comparing it against existing WildFire signatures, the ESM forwards the sample for WildFire analysis. For more information, see Malware Protection Flow.

Related Documentation