Batch File Analysis
To use this feature, be sure to download and install the latest PAN-OS content release. PAN-OS Applications and Threats content release 8168 enables firewalls operating PAN-OS 8.1 and later to forward script files to the WildFire cloud for analysis. For more information about the update, refer to the Applications and Threat Content Release Notes.
To download the release notes, log in to the Palo Alto Networks Support Portal, click
Dynamic Updatesand select the release notes listed under
Apps + Threats.
Script sample support has been expanded to include .bat (batch) files. As with all other currently supported script file types (JScript [.js], VBScript [.vbs], and PowerShell Script [.ps1], the WildFire public cloud can now analyze and classify batch files with verdicts using static and dynamic analysis. When a malicious batch file is discovered, the WildFire cloud generates and distributes C2 and DNS signatures to firewalls to prevent successful attacks. To ensure that you are protected from the latest threats, always keep your firewalls up-to-date with the latest content and software updates from Palo Alto Networks.
- The WildFire appliance does not support batch file analysis at this time.
- Only firewalls operating PAN-OS 8.1 and later can forward scripts to the WildFire public cloud.
To forward script files for analysis, the
WildFire Analysis Profileon the firewall must be configured to forward the
scriptfile type or
Anyunknown files to the WildFire public cloud.
- Enable file type forwarding.
- SelectObjects > Security Profiles > WildFire AnalysisandAddor modify a profile to define traffic to forward for WildFire analysis.
- Add or modify a profile rule, selectfile type, and set the rule to forward the newAnyfile type. You can also specify thescriptfile type if you want to forward only scripts.Profile rules with the file type set toAnyforward all file types for WildFire analysis.
- Select Destination and set the profile rule to forward the files to thepublic-cloud.
- ClickOKto save the new or modified WildFire Analysis profile.
- Attach the WildFire Analysis profile to a security policy rule—traffic matched to the policy rule is forwarded for WildFire Analysis.
- SelectPolicies > SecurityandAddor modify a security policy rule.
- SelectActionsand set theProfile TypetoProfiles.
- Select the newly-createdWildFire Analysisprofile.
- ClickOKto save the security policy rule.
- SelectMonitor > WildFire Submissionsto find WildFire verdicts and analysis reports for script files that have been submitted by the firewall.
You can submit script files directly to the WildFire public cloud for analysis from the WildFire portal as well as the WildFire API: