Advanced WildFire analysis reports display detailed sample information,
as well as information on targeted users, email header information
(if enabled), the application that delivered the file, and all URLs
involved in the command-and-control activity of the file. Advanced
WildFire reports contain some or all of the information described
in the following table based on the session information configured
on the firewall that forwarded the file and depending on the observed
behavior for the file.
When viewing an Advanced WildFire report for a file that
was manually uploaded to the WildFire portal or by using the WildFire API,
the report will not show session information because the traffic
did not traverse the firewall. For example, the report would not
show the Attacker/Source and Victim/Destination.
Report Heading
Description
File Information
File Type
—Flash,
PE, PDF, APK, JAR/Class, archive, linux, script, or MS Office. This
field is named URL for HTTP/HTTPS email link reports and will display
the URL that was analyzed.
File Signer
—The entity that signed
the file for authenticity purposes.
Hash Value
—A file hash is much like
a fingerprint that uniquely identifies a file to ensure that the
file has not been modified in any way. The following lists the hash
versions that WildFire generates for each file analyzed:
SHA-1
—Displays
the SHA-1 value for the file.
SHA-256
—Displays the SHA-256 value
for the file.
MD5
—Displays the MD5 information for
the file.
File Size
—The size (in bytes) of the
file that WildFire analyzed.
First Seen Timestamp
—If the WildFire
system has analyzed the file previously, this is the date/time that
it was first observed.
link to download the sample file to your local
system. Note that you can only download files with the malware verdict,
not benign.
Coverage Status
Click the
Virus Total
link
to view endpoint antivirus coverage information for samples that
have already been identified by other vendors. If the file has never
been seen by any of the listed vendors, file not found appears.
In
addition, when the report is rendered on the firewall, up-to-date
information about what signature and URL filtering coverage that
Palo Alto Networks currently provides to protect against the threat
will also be displayed in this section. Because this information
is retrieved dynamically, it will not appear in the PDF report.
The
following coverage information is provided for active signatures:
Coverage Type
—The type of protection
provided by Palo Alto Networks (virus, DNS, WildFire, or malware URL).
Signature ID
—A unique ID number assigned
to each signature that Palo Alto Networks provides.
Detail
—The well-known name of the
virus.
Date Released
—The date that Palo Alto
Networks released coverage to protect against the malware.
Latest Content Version
—The version
number for the content release that provides protection against
the malware.
Session Information
Contains session information based on the
traffic as it traversed the firewall that forwarded the sample.
To define the session information that WildFire will include in
the reports, select
Device
Setup
WildFire
Session
Information Settings
.
The following
options are available:
Source IP
Source Port
Destination IP
Destination Port
Virtual System (If multi-vsys is configured on the firewall)
Application
User (If User-ID is configured on the firewall)
URL
Filename
Email sender
Email recipient
Email subject
By default, session information
includes the field Status, which indicates if the firewall allowed
or blocked the sample.
Dynamic Analysis
If a file is low risk and WildFire can easily
determine that it is safe, only static analysis is performed on
the file, instead of dynamic analysis.
When dynamic analysis
is performed, this section contains tabs showing analysis results
for each environment type that the sample was run in. For example, the
Virtual Machine 4 tab might show an analysis environment operating
Windows 7, Adobe Reader 11, Flash 11, and Office 2010.
On
the WildFire appliance, only one virtual machine is used for the
analysis, which you select based on analysis environment attributes
that best match your local environment. For example, if most users
have Windows 7 32-bit, that virtual machine would be selected.
Behavior Summary
Each Virtual Machine tab summarizes the
behavior of the sample file in the specific environment. Examples include
whether the sample created or modified files, started a process,
spawned new processes, modified the registry, or installed browser
helper objects.
The Severity column indicates the severity
of each behavior. The severity gauge will show one bar for low severity
and additional bars for higher severity levels. This information
is also added to the dynamic and static analysis sections.
The following
describes the various behaviors that are analyzed:
Network Activity
—Shows
network activity performed by the sample, such as accessing other
hosts on the network, DNS queries, and phone-home activity. A link
is provided to download the packet capture.
Host Activity (by process)
—Lists activities
performed on the host, such as registry keys that were set, modified,
or deleted.
Process Activity
—Lists files that
started a parent process, the process name, and the action the process performed.
File
—Lists files that started a child
processes, the process name, and the action the process performed.
Mutex
—If the sample file generates
other program threads, the mutex name and parent process is logged
in this field.
Activity Timeline
—Provides a play-by-play
list of all recorded activity of the sample. This will help in understanding
the sequence of events that occurred during the analysis.
The
activity timeline information is only available in the PDF export
of the WildFire reports.
Submit Malware
Use this option to manually submit the sample
to Palo Alto Networks. The WildFire cloud will then re-analyze the sample
and generate a signatures if it determines that the sample is malicious.
This is useful on a WildFire appliance that does not have signature
generation or cloud intelligence enabled, which is used to forward
malware from the appliance to the WildFire cloud.
Report an Incorrect Verdict
Click this link to submit the sample to
the Palo Alto Networks threat team if you feel the verdict is a
false positive or false negative. The threat team will perform further
analysis on the sample to determine if it should be reclassified.
If a malware sample is determined to be safe, the signature for
the file is disabled in an upcoming antivirus signature update or
if a benign file is determined to be malicious, a new signature
is generated. After the investigation is complete, you will receive
an email describing the action that was taken.