Advanced WildFire Powered by Precision AI™
File Analysis
Table of Contents
Expand All
|
Collapse All
Advanced WildFire
-
-
- Forward Files for Advanced WildFire Analysis
- Manually Upload Files to the WildFire Portal
- Forward Decrypted SSL Traffic for Advanced WildFire Analysis
- Enable Advanced WildFire Inline Cloud Analysis
- Enable Advanced WildFire Inline ML
- Enable Hold Mode for Real-Time Signature Lookup
- Configure the Content Cloud FQDN Settings
- Sample Removal Request
- Firewall File-Forwarding Capacity by Model
-
-
-
- set deviceconfig cluster
- set deviceconfig high-availability
- set deviceconfig setting management
- set deviceconfig setting wildfire
- set deviceconfig system eth2
- set deviceconfig system eth3
- set deviceconfig system panorama local-panorama panorama-server
- set deviceconfig system panorama local-panorama panorama-server-2
- set deviceconfig system update-schedule
- set deviceconfig system vm-interface
-
- clear high-availability
- create wildfire api-key
- delete high-availability-key
- delete wildfire api-key
- delete wildfire-metadata
- disable wildfire
- edit wildfire api-key
- load wildfire api-key
- request cluster decommission
- request cluster reboot-local-node
- request high-availability state
- request high-availability sync-to-remote
- request system raid
- request wildfire sample redistribution
- request system wildfire-vm-image
- request wf-content
- save wildfire api-key
- set wildfire portal-admin
- show cluster all-peers
- show cluster controller
- show cluster data migration status
- show cluster membership
- show cluster task
- show high-availability all
- show high-availability control-link
- show high-availability state
- show high-availability transitions
- show system raid
- submit wildfire local-verdict-change
- show wildfire
- show wildfire global
- show wildfire local
- test wildfire registration
File Analysis
Where Can I Use This? | What Do I Need? |
---|---|
|
|
A Palo Alto Networks firewall configured with a WildFire analysis
profile forwards samples for Advanced WildFire analysis based on
file type (including email links). Additionally, the firewall decodes
files that have been encoded or compressed up to four times (such
as files in ZIP format); if the decoded file matches Advanced WildFire
Analysis profile criteria, the firewall forwards the decoded file
for analysis.
The Advanced WildFire analysis capabilities can also be enabled
on the firewall to provide inline antivirus protection. The Advanced
WildFire inline ML option present in the Antivirus profiles enables
the firewall dataplane to apply machine learning analysis on PE
and ELF files as well as PowerShell scripts in real-time. Each inline
ML model dynamically detects malicious files of a specific type
by evaluating file details, including decoder fields and patterns,
to formulate a high probability classification of a file. This protection
extends to currently unknown as well as future variants of threats
that match characteristics that Palo Alto Networks has identified
as malicious. To keep up with the latest changes in the threat landscape, inline
ML models are added or updated via content releases. See Advanced WildFire Inline ML for more
information.
The Advanced WildFire cloud is also capable of analyzing certain
file types which are used as secondary payloads as part of multi-stage
PE, APK, and ELF malware packages. Analysis of secondary payloads
can provide additional coverage to disrupt sophisticated attacks
by advanced threats. These advanced threats operate by executing
code which activate additional malicious payloads, including those
designed to assist in the circumvention of security measures as
well as facilitate proliferation of the primary payload. Advanced
WildFire analyzes the multi-stage threats by processing them in
static and dynamic analysis environments. Files referenced by multi-stage
malware are treated independently during analysis; as a result,
verdicts and protections are delivered as soon as they finish for
each file. The overall verdict for the multi-stage file is determined
based on a threat assessment of malicious content found in all analyzed
stages of the attack. Any malicious content discovered during analysis
of the multi-stage file immediately marks the file as malicious.
Organizations with safe-handling procedures for malicious content
can manually submit password-protected samples using the RAR format through
the API or WildFire portal. When the Advanced WildFire cloud receives
a sample that has been encrypted using the password infected or virus,
the Advanced WildFire cloud decrypts and analyzes the archive file.
You can view the verdict and analysis results for the file in the
format that it was received, in this case, an archive.
While the firewall can forward all the file types listed below,
Advanced WildFire analysis support can vary depending on the Advanced
WildFire cloud to which you are submitted samples. Review Advanced
WildFire File Type Support to learn more.
File Types Supported
for WildFire Forwarding | Description |
---|---|
apk | Android Application Package (APK) files. DEX
files contained within APK files are analyzed as part of the APK
file analysis. |
flash | Adobe Flash applets and Flash content embedded
in web pages. |
jar | Java applets (JAR/class files types). |
ms-office | Files used by Microsoft Office, including
documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), PowerPoint (PPT, PPTX)
presentations, and Office Open XML (OOXML) 2007+ documents. Internet
Query (IQY) and Symbolic Link (SLK) files are supported with content
version 8462. |
pe | Portable Executable (PE) files. PEs include
executable files, object code, DLLs, FON (fonts), and LNK files.
MSI files are supported with content version 8462. A subscription
is not required to forward PE files for WildFire analysis, but is required
for all other supported file types. |
pdf | Portable Document Format (PDF) files. |
MacOSX | Various file types used by the macOS platform. Static analysis of DMG, PKG, and ZBundle files is
only available in the Advanced WildFire Global (U.S.) and Europe
Cloud regions, however, static analysis for other Mac OS X files
(fat and macho) is supported across all regional clouds. Dynamic
analysis for all MacOSX files is only supported in the Advanced
WildFire Global (U.S.) and Europe Cloud regions. Refer to File Type Support for more information. |
email-link | HTTP/HTTPS links contained
in SMTP and POP3 email messages. See Email
Link Analysis. |
archive | Roshal Archive (RAR) and 7-Zip
(7z) archive files. Multi-volume archives are that are split into
several smaller files cannot be submitted for analysis. Only
RAR files encrypted with the password infected or virus are
decrypted and analyzed by the Advanced WildFire cloud. While
the firewall is capable of forwarding supported files contained
within ZIP archives after it has been decoded, it cannot forward
complete ZIP files in its encoded state. If you want to submit complete
ZIP files, you can manually upload a ZIP file using the WildFire
portal or through the WildFire API. |
linux | Executable and Linkable Format
(ELF) files. |
script | Various script files.
|