WildFire Analysis Reports—Close Up

Access WildFire analysis reports on the firewall, the WildFire portal, and the WildFire API.
WildFire analysis reports display detailed sample information, as well as information on targeted users, email header information (if enabled), the application that delivered the file, and all URLs involved in the delivery or phone-home activity of the file. WildFire reports contain some or all of the information described in the following table based on the session information configured on the firewall that forwarded the file and depending on the observed behavior for the file.
When viewing a WildFire report for a file that was manually uploaded to the WildFire portal or by using the WildFire API, the report will not show session information because the traffic did not traverse the firewall. For example, the report would not show the Attacker/Source and Victim/Destination.
Report Heading
Description
File Information
  • File Type—Flash, PE, PDF, APK, JAR/Class, archive, linux, script, or MS Office. This field is named URL for HTTP/HTTPS email link reports and will display the URL that was analyzed.
  • File Signer—The entity that signed the file for authenticity purposes.
  • Hash Value—A file hash is much like a fingerprint that uniquely identifies a file to ensure that the file has not been modified in any way. The following lists the hash versions that WildFire generates for each file analyzed:
    • SHA-1—Displays the SHA-1 value for the file.
    • SHA-256—Displays the SHA-256 value for the file.
    • MD5—Displays the MD5 information for the file.
  • File Size—The size (in bytes) of the file that WildFire analyzed.
  • First Seen Timestamp—If the WildFire system has analyzed the file previously, this is the date/time that it was first observed.
  • Verdict—Displays analysis verdicts.
  • Sample File—Click the Download File link to download the sample file to your local system. Note that you can only download files with the malware verdict, not benign.
Coverage Status
Click the Virus Total link to view endpoint antivirus coverage information for samples that have already been identified by other vendors. If the file has never been seen by any of the listed vendors, file not found appears.
In addition, when the report is rendered on the firewall, up-to-date information about what signature and URL filtering coverage that Palo Alto Networks currently provides to protect against the threat will also be displayed in this section. Because this information is retrieved dynamically, it will not appear in the PDF report.
The following coverage information is provided for active signatures:
  • Coverage Type—The type of protection provided by Palo Alto Networks (virus, DNS, WildFire, or malware URL).
  • Signature ID—A unique ID number assigned to each signature that Palo Alto Networks provides.
  • Detail—The well-known name of the virus.
  • Date Released—The date that Palo Alto Networks released coverage to protect against the malware.
  • Latest Content Version—The version number for the content release that provides protection against the malware.
Session Information
Contains session information based on the traffic as it traversed the firewall that forwarded the sample. To define the session information that WildFire will include in the reports, select DeviceSetupWildFireSession Information Settings.
The following options are available:
  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Virtual System (If multi-vsys is configured on the firewall)
  • Application
  • User (If User-ID is configured on the firewall)
  • URL
  • Filename
  • Email sender
  • Email recipient
  • Email subject
By default, session information includes the field Status, which indicates if the firewall allowed or blocked the sample.
Dynamic Analysis
Files analyzed using bare metal are shown as a virtual machine configuration under dynamic analysis.
If a file is low risk and WildFire can easily determine that it is safe, only static analysis is performed on the file, instead of dynamic or bare metal analysis.
When dynamic or bare metal analysis is performed, this section contains tabs showing analysis results for each environment type that the sample was run in. For example, the Virtual Machine 1 tab might show an analysis environment operating Windows XP, Adobe Reader 9.3.3, and Office 2003 and Virtual Machine 3 might have similar attributes, but running in a bare metal environment. Samples are analyzed using bare metal in addition to dynamic analysis if it displays characteristics of an advanced VM-aware threat.
On the WildFire appliance, only one virtual machine is used for the analysis, which you select based on analysis environment attributes that best match your local environment. For example, if most users have Windows 7 32-bit, that virtual machine would be selected.
Behavior Summary
Each Virtual Machine tab summarizes the behavior of the sample file in the specific environment. Examples include whether the sample created or modified files, started a process, spawned new processes, modified the registry, or installed browser helper objects.
The Severity column indicates the severity of each behavior. The severity gauge will show one bar for low severity and additional bars for higher severity levels. This information is also added to the dynamic and static analysis sections.
report-behavior-sev.png
The following describes the various behaviors that are analyzed:
  • Network Activity—Shows network activity performed by the sample, such as accessing other hosts on the network, DNS queries, and phone-home activity. A link is provided to download the packet capture.
  • Host Activity (by process)—Lists activities performed on the host, such as registry keys that were set, modified, or deleted.
  • Process Activity—Lists files that started a parent process, the process name, and the action the process performed.
  • File—Lists files that started a child processes, the process name, and the action the process performed.
  • Mutex—If the sample file generates other program threads, the mutex name and parent process is logged in this field.
  • Activity Timeline—Provides a play-by-play list of all recorded activity of the sample. This will help in understanding the sequence of events that occurred during the analysis.
    The activity timeline information is only available in the PDF export of the WildFire reports.
Submit Malware
Use this option to manually submit the sample to Palo Alto Networks. The WildFire cloud will then re-analyze the sample and generate a signatures if it determines that the sample is malicious. This is useful on a WildFire appliance that does not have signature generation or cloud intelligence enabled, which is used to forward malware from the appliance to the WildFire cloud.
Report an Incorrect Verdict
Click this link to submit the sample to the Palo Alto Networks threat team if you feel the verdict is a false positive or false negative. The threat team will perform further analysis on the sample to determine if it should be reclassified. If a malware sample is determined to be safe, the signature for the file is disabled in an upcoming antivirus signature update or if a benign file is determined to be malicious, a new signature is generated. After the investigation is complete, you will receive an email describing the action that was taken.

Related Documentation