MSI, IQY, and SLK File Analysis
Table of Contents
Expand all | Collapse all
-
- WildFire Qatar Cloud
- WildFire France Cloud
- WildFire Taiwan Cloud
- WildFire Indonesia Cloud
- WildFire Poland Cloud
- WildFire Switzerland Cloud
- Advanced WildFire Support for Intelligent Run-time Memory Analysis
- Shell Script Analysis Support for Wildfire Inline ML
- Standalone WildFire API Subscription
- WildFire India Cloud
- MSI, IQY, and SLK File Analysis
- MS Office Analysis Support for Wildfire Inline ML
- WildFire Germany Cloud
- WildFire Australia Cloud
- Executable and Linked Format (ELF) Analysis Support for WildFire Inline ML
- Global URL Analysis
- WildFire Canada Cloud
- WildFire UK Cloud
- HTML Application and Link File Analysis
- Recursive Analysis
- Perl Script Analysis
- WildFire U.S. Government Cloud
- Real Time WildFire Verdicts and Signatures for PDF and APK Files
- Batch File Analysis
- Real Time WildFire Verdicts and Signatures for PE and ELF Files
- Real Time WildFire Verdicts and Signatures for Documents
- Script Sample Analysis
- ELF Malware Test File
- Email Link Analysis Enhancements
- Sample Removal Request
- Updated WildFire Cloud Data Retention Period
- DEX File Analysis
- Network Traffic Profiling
- Additional Malware Test Files
- Dynamic Unpacking
- Windows 10 Analysis Environment
- Archive (RAR/7z) and ELF File Analysis
- WildFire Analysis of Blocked Files
- WildFire Phishing Verdict
MSI, IQY, and SLK File Analysis
Palo Alto Networks firewalls can now forward MSI, IQY,
and SLK files to the WildFire global cloud for analysis.
To enable forwarding of MSI, IQY, and
SLK files from the firewall, be sure to download and install the
latest PAN-OS content release. PAN-OS Applications and Threats content
release 8462 allows firewalls operating PAN-OS 8.1 and later to
forward MSI, IQY, and SLK files to the WildFire cloud for analysis.
For more information about the update, refer to the Applications
and Threat Content Release Notes.
To download the release
notes, log in to the Palo Alto Networks Support Portal, click
Dynamic
Updates
and select the release notes listed under Apps
+ Threats.
WildFire now supports firewall
forwarding of MSI (Microsoft Installer) portable executables, as
well as IQY (Microsoft Web Query) and SLK (Symbolic link) ms-office
files to the WildFire cloud (all regions) for analysis. This enables
the WildFire public cloud to analyze and classify .MSI, .IQY, and
.SLK files with verdicts using static and dynamic analysis. The
WildFire cloud uses MSI, IQY, and SLK file analysis results to generate
and distribute C2 and DNS signatures used by DNS Security and URL
filtering to prevent script-based attacks. To ensure that you are
protected from the latest threats, always keep your firewalls up-to-date
with the latest content and software updates from Palo Alto Networks.
- The WildFire appliance does not support MSI, IQY, and SLK file analysis at this time.
To forward MSI
or IQY/SLK files for analysis, the
WildFire Analysis
Profile
on the firewall must be configured to forward pe
for MSI
files or ms-office
for IQY and SLK file types.
Select any Any
to forward all supported unknown
files to the WildFire public cloud. - Enable file type forwarding.
- SelectObjects > Security Profiles > WildFire AnalysisandAddor modify a profile to define traffic to forward for WildFire analysis.
- Add or modify a profile rule, selectfile type, and set the rule to forwardAnyfile type. Alternatively, you can also specifypefor MSI files orms-officefor IQY and SLK files, if you want to forward a specific file type.Profile rules with the file type set toAnyforward all supported file types for WildFire analysis.
- Select Destination and set the profile rule to forward the files to thepublic-cloud.
- ClickOKto save the new or modified WildFire Analysis profile.
- Attach the WildFire Analysis profile to a security policy rule—traffic matched to the policy rule is forwarded for WildFire Analysis.
- SelectPolicies > SecurityandAddor modify a security policy rule.
- SelectActionsand set theProfile TypetoProfiles.
- Select the newly-createdWildFire Analysisprofile.
- ClickOKto save the security policy rule.For detailed steps to configure a WildFire Analysis profile and to attach the profile to a security policy rule, see Forward Files for WildFire Analysis.
- SelectMonitor > WildFire Submissionsto find WildFire verdicts and analysis reports for files that have been submitted by the firewall.
Submit files directly
to the WildFire public cloud for analysis from the WildFire portal
as well as the WildFire API:
- Manually submit files to the WildFire public cloud for analysis. You can then view the WildFire sample analysis report and verdict (malicious, grayware or benign) on the WildFire portal.
- Use the WildFire API to submit files to the WildFire public cloud. You can use the WildFire API to retrieve verdicts and analysis reports for the files. You can also specify a target analysis environment when you retrieve a packet capture through the WildFire API.