Analysis Environment
WildFire reproduces a variety of analysis environments,
including the operating system, to identify malicious behaviors
within samples. Depending on the characteristics and features of
the sample, multiple analysis environments may be used to determine
the nature of the file. WildFire uses static analysis with machine
learning to initially determine if known and variants of known samples
are malicious. Based on the initial verdict of the submission, WildFire
sends the unknown samples to analysis environment(s) to inspect
the file in greater detail by extracting additional information
and indicators from dynamic analysis. If the file has been obfuscated
using custom or open source methods, the WildFire cloud decompresses
and decrypts the file in-memory within the dynamic analysis environment
before analyzing it using static analysis. During dynamic analysis,
WildFire observes the file as it would behave when executed within
client systems and looks for various signs of malicious activities,
such as changes to browser security settings, injection of code
into other processes, modification of files in operating system
folders, or attempts by the sample to access malicious domains.
Additionally, PCAPs generated during dynamic analysis in the WildFire
cloud undergo deep inspection and are used to create network activity
profiles. Network traffic profiles can detect known malware and
previously unknown malware using a one-to-many profile match.
WildFire Sample Analysis Workflow
WildFire analyzes files using the following methods:
- Static Analysis—Detects known threats by analyzing the characteristics of samples prior to execution.
- Machine Learning—Identifies variants of known threats by comparing malware feature sets against a dynamically updated classification systems.
- Dynamic Unpacking (WildFire public cloud only)—Identifies and unpacks files that have been encrypted using custom/open source methods and prepares it for static analysis.
- Dynamic Analysis—A custom built, evasion resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior.
- Bare Metal Analysis (WildFire public cloud only)—A fully hardware-based analysis environment specifically designed for advanced VM-aware threats. Samples that display the characteristics of an advanced VM-aware threat are steered towards the bare metal appliance by the heuristic engine.Bare metal analysis is not available in the WildFire private cloud.
WildFire operates analysis environments that replicate the following
operating systems:
- Microsoft Windows XP 32-bit (Supported as an option for the WildFire private cloud only)
- Microsoft Windows 7 64-bit
- Microsoft Windows 7 32-bit (Supported as an option for WildFire private cloud only)
- Microsoft Windows 10 64-bit (Supported as an option for the WildFire public cloud and WildFire private cloud running PAN-OS 10.0 or later)
- Mac OS X (WildFire public cloud only)
- Android (WildFire public cloud only)
- Linux (WildFire public cloud only)
The WildFire public cloud also analyzes files using multiple
versions of software to accurately identify malware that target
specific versions of client applications. The WildFire private cloud
does not support multi-version analysis, and does not analyze application-specific
files across multiple versions.
