WildFire reproduces a variety of analysis environments,
including operating system, to identify malicious behaviors within
samples. Depending on the characteristics and features of the sample,
multiple analysis environments may be used to determine the nature
of the file. WildFire uses static analysis with machine learning
to initially determine if known and variants of known samples are
malicious. Based on the initial verdict of the submission, WildFire
sends the unknown samples to analysis environment(s) to inspect
the file in greater detail by extracting additional information
and indicators from dynamic analysis. During dynamic analysis, WildFire
observes the file as it would behave when executed within client
systems and looks for various signs of malicious activities, such
as changes to browser security settings, injection of code into
other processes, modification of files in operating system folders,
or attempts by the sample to access malicious domains.
WildFire analyzes files using the following methods:
threats by analyzing the characteristics of samples prior to execution.
of known threats by comparing malware feature sets against a dynamically
updated classification systems.
—A custom built, evasion
resistant virtual environment in which previously unknown submissions
are detonated to determine real-world effects and behavior.
Bare Metal Analysis (WildFire Cloud analysis only)
fully hardware-based analysis environment specifically designed
for advanced VM-aware threats. Samples that display the characteristics
of an advanced VM-aware threat are steered towards the bare metal
appliance by the heuristic engine.
WildFire operates analysis environments that replicate the following
Microsoft Windows XP 32-bit
Microsoft Windows 7 64-bit
Microsoft Windows 7 32-bit (Supported as an option
for WildFire appliance only)
Microsoft Windows 10 64-bit (WildFire Cloud Analysis
Mac OSX (WildFire Cloud Analysis only)
Android (WildFire Cloud Analysis only)
Linux (WildFire Cloud Analysis only)
The WildFire public cloud also analyzes files using multiple
versions of software to accurately identify malware that target
specific versions of client applications. The WildFire private cloud
does not support multi-version analysis, and does not analyze application-specific
files across multiple versions.