The following example scenario summarizes the full WildFire™ lifecycle. In this example, a sales representative from Palo Alto Networks downloads a new software sales tool that a sales partner uploaded to Dropbox. The sales partner unknowingly uploaded an infected version of the sales tool install file and the sales rep then downloads the infected file.
This example will demonstrate how a Palo Alto Networks firewall in conjunction with WildFire can discover zero-day malware downloaded by an end user, even if the traffic is SSL encrypted. After WildFire identifies the malware a log is sent to the firewall and the firewall alerts the administrator who then contacts the user to eradicate the malware. WildFire then generates a new signature for the malware and firewalls with a Threat Prevention or WildFire subscription automatically downloads the signature to protect against future exposure. Although some file sharing web sites have an antivirus feature that checks files as they are uploaded, they can only protect against known malware.
- The sales person from the partner company uploads a sales tool file named sales-tool.exe to his Dropbox account and then sends an email to the Palo Alto Networks sales person with a link to the file.
- The Palo Alto sales person receives the email from the sales partner and clicks the download link, which takes her to the Dropbox site. She then clicks Download to save the file to her desktop.
- The firewall that is protecting the Palo Alto sales rep has a WildFire Analysis profile rule attached to a security policy rule that will look for files in any application that is used to download or upload any of the supported file types. The firewall can also be configured to forward the email-link file type, which enables the firewall to extract HTTP/HTTPS links contained in SMTP and POP3 email messages. As soon as the sales rep clicks download, the firewall forwards the sales-toole.exe file to WildFire, where the file is analyzed for zero-day malware. Even though the sales rep is using Dropbox, which is SSL encrypted, the firewall is configured to decrypt traffic, so all traffic can be inspected. The following screen shots show the WildFire Analysis profile rule, the security policy rule configured with the WildFire analysis profile rule attached, and the option to allow forwarding of decrypted content enabled.
- At this point, WildFire has received the file and is analyzing it for more than 200 different malicious behaviors.
- Within approximately five minutes, WildFire has completed the file analysis and then sends a WildFire log back to the firewall with the analysis results. In this example, the WildFire log shows that the file is malicious.
- The firewall is configured with a log forwarding profile that will send WildFire alerts to the security administrator when malware is discovered.
- The security administrator identifies the user by name
(if User-ID is configured), or by IP address if User-ID is not enabled.
At this point, the administrator can shut down the network or VPN
connection that the sales representative is using and will then
contact the desktop support group to work with the user to check
and clean the system.By using the WildFire detailed analysis report, the desktop support person can determine if the user system is infected with malware by looking at the files, processes, and registry information detailed in the WildFire analysis report. If the user runs the malware, the support person can attempt to clean the system manually or re-image it.
- Now that the administrator has identified the malware
and the user system is being checked, how do you protect from future
exposure? Answer: In this example, the administrator set a schedule
on the firewall to download and install WildFire signatures every
15 minutes and to download and install Antivirus updates once per
day. In less than an hour and a half after the sales rep downloaded
the infected file, WildFire identified the zero-day malware, generated
a signature, added it to the WildFire update signature database
provided by Palo Alto Networks, and the firewall downloaded and
installed the new signature. This firewall and any other Palo Alto
Networks firewall configured to download WildFire and antivirus
signatures is now protected against this newly discovered malware.
The following screenshot shows the WildFire update schedule:All of this occurs well before most antivirus vendors are even aware of the zero-day malware. In this example, within a very short period of time, the malware is no longer considered zero-day because Palo Alto Networks has already discovered it and has provided protection to customers to prevent future exposure.
WildFire Overview WildFire™ provides detection and prevention of zero-day malware using a combination of dynamic and static analysis to detect threats and create protections to ...
WildFire Signatures WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can quickly generate signatures ...
Forward Files for WildFire Analysis
Forward Files for WildFire Analysis Configure Palo Alto Networks firewalls to forward unknown files or email links and blocked files that match existing antivirus signatures ...
About WildFire The WildFire Analysis Environment identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to then detect and block ...
Submit Files for WildFire Analysis
Submit Files for WildFire Analysis The following topics describe how to submit files for WildFire™ analysis. You can set up Palo Alto Networks firewalls to ...
Review WildFire Logs
Review WildFire Logs In addition to the Threat logs, use the victim IP address to filter though the WildFire Submissions logs. The WildFire Submissions logs ...
Test a Sample Malware File
Test a Sample Malware File Palo Alto Networks provides sample malware files that you can use to test a WildFire configuration. Take the following steps ...
Get Started with WildFire
Get Started with WildFire The following steps provide a quick workflow to get started with WildFire™. If you’d like to learn more about WildFire before ...
WildFire Global Cloud
WildFire Global Cloud A Palo Alto Networks firewall with can forward unknown files and email links to the WildFire global cloud or to one of ...