WildFire Analysis Reports—Close Up
WildFire analysis reports display detailed sample information, as well as information on targeted users, email header information (if enabled), the application that delivered the file, and all URLs involved in the delivery or phone-home activity of the file. WildFire reports contain some or all of the information described in the following table based on the session information configured on the firewall that forwarded the file and depending on the observed behavior for the file.
When viewing a WildFire report for a file that was manually uploaded to the WildFire portal or by using the WildFire API, the report will not show session information because the traffic did not traverse the firewall. For example, the report would not show the Attacker/Source and Victim/Destination.
Click the Virus Total link to view endpoint antivirus coverage information for samples that have already been identified by other vendors. If the file has never been seen by any of the listed vendors, file not found appears.
In addition, when the report is rendered on the firewall, up-to-date information about what signature and URL filtering coverage that Palo Alto Networks currently provides to protect against the threat will also be displayed in this section. Because this information is retrieved dynamically, it will not appear in the PDF report.
The following coverage information is provided for active signatures:
Contains session information based on the traffic as it traversed the firewall that forwarded the sample. To define the session information that WildFire will include in the reports, select DeviceSetupWildFireSession Information Settings.
The following options are available:
By default, session information includes the field Status, which indicates if the firewall allowed or blocked the sample.
Files analyzed using bare metal are shown as a virtual machine configuration under dynamic analysis.
If a file is low risk and WildFire can easily determine that it is safe, only static analysis is performed on the file, instead of dynamic or bare metal analysis.
When dynamic or bare metal analysis is performed, this section contains tabs showing analysis results for each environment type that the sample was run in. For example, the Virtual Machine 1 tab might show an analysis environment operating Windows XP, Adobe Reader 9.3.3, and Office 2003 and Virtual Machine 3 might have similar attributes, but running in a bare metal environment. Samples are analyzed using bare metal in addition to dynamic analysis if it displays characteristics of an advanced VM-aware threat.
On the WildFire appliance, only one virtual machine is used for the analysis, which you select based on analysis environment attributes that best match your local environment. For example, if most users have Windows 7 32-bit, that virtual machine would be selected.
Each Virtual Machine tab summarizes the behavior of the sample file in the specific environment. Examples include whether the sample created or modified files, started a process, spawned new processes, modified the registry, or installed browser helper objects.
The Severity column indicates the severity of each behavior. The severity gauge will show one bar for low severity and additional bars for higher severity levels. This information is also added to the dynamic and static analysis sections.
The following describes the various behaviors that are analyzed:
Use this option to manually submit the sample to Palo Alto Networks. The WildFire cloud will then re-analyze the sample and generate a signatures if it determines that the sample is malicious. This is useful on a WildFire appliance that does not have signature generation or cloud intelligence enabled, which is used to forward malware from the appliance to the WildFire cloud.
Report an Incorrect Verdict
Click this link to submit the sample to the Palo Alto Networks threat team if you feel the verdict is a false positive or false negative. The threat team will perform further analysis on the sample to determine if it should be reclassified. If a malware sample is determined to be safe, the signature for the file is disabled in an upcoming antivirus signature update or if a benign file is determined to be malicious, a new signature is generated. After the investigation is complete, you will receive an email describing the action that was taken.
Monitor WildFire Activity
Monitor WildFire Activity Depending on your WildFire™ deployment—public, private, or hybrid—you can view samples submitted to WildFire and analysis results for each sample using the ...
Analysis Environment WildFire reproduces a variety of analysis environments, including the operating system, to identify malicious behaviors within samples. Depending on the characteristics and features ...
About WildFire Logs and Reporting
About WildFire Logs and Reporting You can Monitor WildFire Activity on the firewall, with the WildFire portal, or with the WildFire API. For each sample ...
Forward Files for WildFire Analysis
Forward Files for WildFire Analysis Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures ...
WildFire Concepts Samples Firewall Forwarding Session Information Sharing Analysis Environment Verdicts File Analysis Email Link Analysis Compressed and Encoded File Analysis WildFire Signatures WildFire Example ...
Firewall Forwarding The firewall forwards unknown samples, as well as blocked files that match antivirus signatures, for WildFire analysis based on the configured WildFire Analysis ...
Monitor WildFire Submissions and Analysis Reports
Monitor WildFire Submissions and Analysis Reports Samples that firewalls submit for WildFire analysis are displayed as entries in the WildFire Submissions log on the firewall ...
WildFire Service States
WildFire Service States The WildFire appliance operates a series of internal services to manage and coordinate processing of sample data. These services and their requisite ...
Configure General Cluster Settings Locally
Configure General Cluster Settings Locally Some general settings are optional and some general settings are pre-populated with default values. It’s best to at least check ...