Samples
Samples are all file types and email links the firewall forwards for WildFire analysis. See Email Link Analysis and Email Link Analysis for details on the file types and links that a firewall can submit for WildFire analysis.
Firewall Forwarding
The firewall forwards unknown samples for WildFire analysis based on the configured WildFire Analysis profile settings ( Objects > Security Profiles > WildFire Analysis). In addition to detecting links included in emails, files that are attached to emails, and browser-based file downloads, the firewall leverages Palo Alto Networks App-ID feature to detect file transfers within applications. For samples that the firewall detects, the firewall checks the sample hash against WildFire signatures to determine if WildFire has previously analyzed the sample. If the sample is identified as malware, it is blocked. If the sample remains unknown after comparing it against existing WildFire signatures, the firewall forwards the sample for WildFire analysis.
By default, the firewall also forwards information about the session in which an unknown sample was detected. To manage the session information that the firewall forwards, select Device > Setup > WildFire and edit Session Information Settings.
Session Information Sharing
In addition to forwarding unknown samples for analysis, the firewall also forwards information about the unknown sample’s network session. Palo Alto Networks uses session information to learn more about the context of the suspicious network event, indicators of compromise related to the malware, affected hosts and clients, and applications used to deliver the malware.
The firewall is enabled to forward session information by default; however, you can adjust the default settings and choose what type of session information the firewall forwards to WildFire. On the firewall, select Device > Setup > WildFire and select or clear the following Session Information Settings:
Source IP —Forward the source IP address that sent the unknown file. Source Port —Forward the source port that sent the unknown file. Destination IP —Forward the destination IP address for the unknown file. Destination Port —Forward the destination port for the unknown file. Virtual System —Forward the virtual system that detected the unknown file. Application —Forward the user application that transmitted the unknown file. User —Forward the targeted user. URL —Forward the URL associated with the unknown file. Filename —Forward the name of the unknown file. Email sender —Forward the sender of an unknown email link (the name of the email sender also appears in WildFire logs and reports). Email recipient —Forward the recipient of an unknown email link (the name of the email recipient also appears in WildFire logs and reports). Email subject —Forward the subject of an unknown email link (the email subject also appears in WildFire logs and reports).
Virtual Environment
Multiple virtual machines run in the WildFire public cloud to represent a variety of operating systems and applications. WildFire executes samples in a virtual environment and observes sample behavior for signs of malicious activities, such as changes to browser security settings, injection of code into other processes, modification of files in the Windows system folder, or attempts by the sample to access malicious domains. The WildFire public cloud also analyzes files across application versions in order to identify malware intended to uniquely target specific versions of client applications (the WildFire private cloud does not support multi-version analysis, and does not analyze application-specific files are analyzed across several versions of the application). For links that the firewall extracts from email messages and forwards to WildFire, WildFire visits the links to determine if the corresponding web page hosts any exploits. When WildFire completes analysis, it generates a detailed forensics report that summarizes sample behaviors and assigns a verdict of malware, benign, or grayware to the sample.
WildFire runs virtual environments with each of the following operating systems:
Microsoft Windows XP 32-bit Microsoft Windows 7 32-bit (Supported as an option for WF-500 appliance only) Microsoft Windows 7 64-bit Microsoft Windows 10 64-bit (WildFire Cloud Analysis only) Android (WildFire Cloud Analysis only) Linux (WildFire Cloud Analysis only)
Verdicts
WildFire delivers verdicts to identify samples it analyzes as safe, malicious, or unwanted (grayware is considered obtrusive but not malicious):
Benign—The sample is safe and does not exhibit malicious behavior. Grayware—The sample does not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs). Malicious—The sample is malware and poses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, and botnets. For files identified as malware, WildFire generates and distributes a signature to prevent against future exposure to the threat.
File Analysis
A Palo Alto Networks firewall configured with a WildFire analysis profile forwards samples for WildFire analysis based on file type (including email links). Additionally, the firewall decodes files that have been encoded or compressed up to four times (such as files in ZIP format); if the decoded file matches WildFire Analysis profile criteria, the firewall forwards the decoded file for WildFire analysis.
While the firewall can forward all the file types listed below, WildFire analysis support can vary depending on the WildFire cloud to which you are submitted samples. Review WildFire File Type Support to learn more.
File Types Supported for WildFire Forwarding:
apk —Android Application Package (APK) files. APK files are not supported for WildFire private cloud analysis using a WF-500 appliance. flash —Adobe Flash applets and Flash content embedded in web pages. jar —Java applets (JAR/class files types). ms-office —Microsoft Office files, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint (PPT, PPTX) presentations, and Office Open XML (OOXML) 2007+ documents. pe —Portable Executable (PE) files. PEs include executable files, object code, DLLs, and FON (fonts). A subscription is not required to forward PE files for WildFire analysis, but is required for all other supported file types. pdf —Portable Document Format (PDF) files. MacOSX —Mach-O, DMG, and PKG files are supported with content version 599. You can also manually or programmatically submit all Mac OS X supported file types for analysis (including application bundles, for which the firewall does not support automatic forwarding).
email-link —HTTP/HTTPS links contained in SMTP and POP3 email messages. See Email Link Analysis. archive —Roshal Archive (RAR) and 7-Zip (7z) archive files. Password-protected and multi-volume archives are that are split into several smaller files cannot be submitted for analysis.
Email Link Analysis
A Palo Alto Networks firewall can extract HTTP/HTTPS links contained in SMTP and POP3 email messages and forward the links for WildFire analysis. The firewall only extracts links and associated session information (sender, recipient, and subject) from email messages; it does not receive, store, forward, or view the email message.
WildFire visits submitted links to determine if the corresponding web page hosts any exploits. A link that WildFire finds to be malicious is:
Recorded on the firewall as a WildFire Submissions log entry. The WildFire analysis report that details the behavior and activity observed for the link is available for each WildFire Submissions log entry. The log entry also includes the email header information—email sender, recipient, and subject—so that you can identify the message and delete it from the mail server, or mitigate the threat if the email has been delivered or opened. Added to PAN-DB and the URL is categorized as malware.
The firewall forwards email links in batches of 100 email links or every two minutes (depending on which limit is hit first). Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall platform ( Firewall File Forwarding Capacity by Platform).
If a link included in an email corresponds to a file download instead of a URL, the firewall forwards the file only if the corresponding file type is enabled for WildFire analysis.
To enable the firewall to forward links included in emails for WildFire analysis, see Forward Files for WildFire Analysis.
Compressed and Encoded File Analysis
By default, the firewall decodes files that have been encoded or compressed up to four times, including files that have been compressed using the ZIP format. The firewall then inspects and enforces policy on the decoded file; if the file is unknown, the firewall forwards the decoded file for WildFire analysis.
WildFire Signatures
WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate signatures to identify and protect against future infections from the malware it discovers. WildFire will automatically generate a signature based on the malware payload of the sample and tests it for accuracy and safety. Because malware evolves rapidly, the signatures that WildFire generates address multiple variants of the malware. WildFire generates and makes new signatures available every five minutes. Firewalls with an active WildFire license can retrieve the latest signatures every five minutes. If you do not have a WildFire subscription, signatures are made available within 24-48 hours as part of the antivirus update for firewalls with an active Threat Prevention license.
As soon as the firewall downloads and installs the new signature, the firewall blocks files that contain that malware (or a variant of the malware).

Related Documentation