WildFire Analysis Reports—Close Up
WildFire analysis reports display detailed sample information, as well as information on targeted users, email header information (if enabled), the application that delivered the file, and all URLs involved in the delivery or phone-home activity of the file. WildFire reports contain some or all of the information described in the following table based on the session information configured on the firewall that forwarded the file and depending on the observed behavior for the file.
When viewing a WildFire report for a file that was manually uploaded to the WildFire portal or by using the WildFire API, the report will not show session information because the traffic did not traverse the firewall. For example, the report would not show the Attacker/Source and Victim/Destination.
Virus Totallink to view endpoint antivirus coverage information for samples that have already been identified by other vendors. If the file has never been seen by any of the listed vendors, file not found appears.
In addition, when the report is rendered on the firewall, up-to-date information about what signature and URL filtering coverage that Palo Alto Networks currently provides to protect against the threat will also be displayed in this section. Because this information is retrieved dynamically, it will not appear in the PDF report.
The following coverage information is provided for active signatures:
Contains session information based on the traffic as it traversed the firewall that forwarded the sample. To define the session information that WildFire will include in the reports, select
Session Information Settings
The following options are available:
By default, session information includes the field Status, which indicates if the firewall allowed or blocked the sample.
Files analyzed using bare metal are shown as a virtual machine configuration under dynamic analysis.
If a file is low risk and WildFire can easily determine that it is safe, only static analysis is performed on the file, instead of dynamic or bare metal analysis.
When dynamic or bare metal analysis is performed, this section contains tabs showing analysis results for each environment type that the sample was run in. For example, the Virtual Machine 1 tab might show an analysis environment operating Windows XP, Adobe Reader 9.3.3, and Office 2003 and Virtual Machine 3 might have similar attributes, but running in a bare metal environment. Samples are analyzed using bare metal in addition to dynamic analysis if it displays characteristics of an advanced VM-aware threat.
On the WildFire appliance, only one virtual machine is used for the analysis, which you select based on analysis environment attributes that best match your local environment. For example, if most users have Windows 7 32-bit, that virtual machine would be selected.
Each Virtual Machine tab summarizes the behavior of the sample file in the specific environment. Examples include whether the sample created or modified files, started a process, spawned new processes, modified the registry, or installed browser helper objects.
The Severity column indicates the severity of each behavior. The severity gauge will show one bar for low severity and additional bars for higher severity levels. This information is also added to the dynamic and static analysis sections.
The following describes the various behaviors that are analyzed:
Use this option to manually submit the sample to Palo Alto Networks. The WildFire cloud will then re-analyze the sample and generate a signatures if it determines that the sample is malicious. This is useful on a WildFire appliance that does not have signature generation or cloud intelligence enabled, which is used to forward malware from the appliance to the WildFire cloud.
Report an Incorrect Verdict
Click this link to submit the sample to the Palo Alto Networks threat team if you feel the verdict is a false positive or false negative. The threat team will perform further analysis on the sample to determine if it should be reclassified. If a malware sample is determined to be safe, the signature for the file is disabled in an upcoming antivirus signature update or if a benign file is determined to be malicious, a new signature is generated. After the investigation is complete, you will receive an email describing the action that was taken.
Recommended For You
Recommended videos not found.