WildFire Analysis Concepts

File Forwarding

Traps management service sends unknown samples for in-depth analysis to WildFire. WildFire accepts up to 1,000,000 sample uploads per day and up to 1,000,000 verdict queries per day from each Traps management service tenant. The daily limit resets at 23:59:00 UTC. Uploads that exceed the sample limit are queued for analysis after the limit resets. WildFire also limits sample sizes to 100MB. For more information, see the WildFire documentation.
For samples that Traps reports, the agent first checks its local cache of hashes to determine if it has an existing verdict for that sample. If Traps does not have a local verdict, Traps queries Traps management service to determine if WildFire has previously analyzed the sample. If the sample is identified as malware, it is blocked. If the sample remains unknown after comparing it against existing WildFire signatures, Traps management service forwards the sample for WildFire analysis.

File Type Analysis

Traps analyzes files based on the type of file, regardless of the file’s extension. For deep inspection and analysis, you can also configure your Traps management service to forward samples to WildFire. A sample can be:
  • Any Portable Executable (PE) file including (but not limited to):
    • Executable files
    • Object code
    • FON (Fonts)
    • Microsoft Windows screensaver (.scr) files
  • Microsoft Office files containing macros opened in Microsoft Word (winword.exe) and Microsoft Excel (excel.exe):
    • Microsoft Office 2003 to Office 2016—.doc and .xls
    • Microsoft Office 2010 and later releases—.docm, .docx, .xlsm, and .xlsx
  • Dynamic-link library file including (but not limited to):
    • .dll files
    • .ocx files
  • Android application package (APK) files
  • Mach-o files
  • Linux (ELF) files
For information on file-examination settings, see Add a New Malware Security Profile.

Verdicts

WildFire delivers verdicts to identify samples it analyzes as safe, malicious, or unwanted (grayware is considered obtrusive but not malicious):
  • Unknown—Initial verdict for a sample for which WildFire has received but has not analyzed.
  • Benign—The sample is safe and does not exhibit malicious behavior.
  • Malware—The sample is malware and poses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, botnets, and malicious macros. For files identified as malware, WildFire generates and distributes a signature to prevent against future exposure to the threat.
  • Grayware—The sample does not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs).
When WildFire is not available or integration is disabled, Traps can also assign a local verdict for the sample using additional methods of evaluation: When Traps performs local analysis on a file, it uses machine learning to determine the verdict. Traps can also compare the signer of a file with a local list of trusted signers to determine whether a file is malicious:
  • Local analysis verdicts:
    • Benign—Local analysis determined the sample is safe and does not exhibit malicious behavior.
    • Malware—The sample is malware and poses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, botnets, and malicious macros.
  • Trusted signer verdicts:
    • Trusted—The sample is signed by a trusted signer.
    • Not Trusted—The sample is not signed by a trusted signer.

Local Verdict Cache

Traps stores hashes and the corresponding verdicts for all files that attempt to run on the endpoint inits local cache. The local cache scales in size to accommodate the number of unique executable files opened on the endpoint. On Windows endpoints, the cache is stored in the C:\ProgramData\Cyvera\LocalSystem folder on the endpoint. When service protection is enabled (see Add a New Agent Settings Profile), the local cache is accessible only by the Traps agent and cannot be changed.
Each time a file attempts to run, the Traps agent performs a lookup in its local cache to determine if a verdict already exists. If known, the verdict is either the official WildFire verdict or manually set as a hash exception. Hash exceptions take precedence over any additional verdict analysis.
If the file is unknown in the local cache, the Traps agent queries Traps management service for the verdict. If Traps management service receives a verdict request for a file that was already analyzed, Traps management service immediately responds to the Traps agent with the verdict.
If Traps management service does not have a verdict for the file, it queries WildFire and optionally submits the file for analysis. While Traps attempts waits for an official WildFire verdict, it can use local analysis to evaluate the file. After Traps management service receives the verdict it responds to the Traps agent that requested the verdict.
For information on file-examination settings, see Add a New Malware Security Profile.

Related Documentation