MSI, IQY, and SLK File Analysis

Palo Alto Networks firewalls can now forward MSI, IQY, and SLK files to the WildFire global cloud for analysis.
To enable forwarding of MSI, IQY, and SLK files from the firewall, be sure to download and install the latest PAN-OS content release. PAN-OS Applications and Threats content release 8462 allows firewalls operating PAN-OS 8.1 and later to forward MSI, IQY, and SLK files to the WildFire cloud for analysis. For more information about the update, refer to the Applications and Threat Content Release Notes.
To download the release notes, log in to the Palo Alto Networks Support Portal, click
Dynamic Updates
and select the release notes listed under
Apps + Threats.
WildFire now supports firewall forwarding of MSI (Microsoft Installer) portable executables, as well as IQY (Microsoft Web Query) and SLK (Symbolic link) ms-office files to the WildFire cloud (all regions) for analysis. This enables the WildFire public cloud to analyze and classify .MSI, .IQY, and .SLK files with verdicts using static and dynamic analysis. The WildFire cloud uses MSI, IQY, and SLK file analysis results to generate and distribute C2 and DNS signatures used by DNS Security and URL filtering to prevent script-based attacks. To ensure that you are protected from the latest threats, always keep your firewalls up-to-date with the latest content and software updates from Palo Alto Networks.
  • The WildFire appliance does not support MSI, IQY, and SLK file analysis at this time.
To forward MSI or IQY/SLK files for analysis, the
WildFire Analysis Profile
on the firewall must be configured to forward
pe
for MSI files or
ms-office
for IQY and SLK file types. Select any
Any
to forward all supported unknown files to the WildFire public cloud.
  1. Enable file type forwarding.
    1. Select
      Objects > Security Profiles > WildFire Analysis
      and
      Add
      or modify a profile to define traffic to forward for WildFire analysis.
    2. Add or modify a profile rule, select
      file type
      , and set the rule to forward
      Any
      file type. Alternatively, you can also specify
      pe
      for MSI files or
      ms-office
      for IQY and SLK files, if you want to forward a specific file type.
      Profile rules with the file type set to
      Any
      forward all supported file types for WildFire analysis.
    3. Select Destination and set the profile rule to forward the files to the
      public-cloud
      .
    4. Click
      OK
      to save the new or modified WildFire Analysis profile.
  2. Attach the WildFire Analysis profile to a security policy rule—traffic matched to the policy rule is forwarded for WildFire Analysis.
    1. Select
      Policies > Security
      and
      Add
      or modify a security policy rule.
    2. Select
      Actions
      and set the
      Profile Type
      to
      Profiles
      .
    3. Select the newly-created
      WildFire Analysis
      profile.
    4. Click
      OK
      to save the security policy rule.
      For detailed steps to configure a WildFire Analysis profile and to attach the profile to a security policy rule, see Forward Files for WildFire Analysis.
  3. Select
    Monitor > WildFire Submissions
    to find WildFire verdicts and analysis reports for files that have been submitted by the firewall.
Submit files directly to the WildFire public cloud for analysis from the WildFire portal as well as the WildFire API:
  1. Manually submit files to the WildFire public cloud for analysis. You can then view the WildFire sample analysis report and verdict (malicious, grayware or benign) on the WildFire portal.
  2. Use the WildFire API to submit files to the WildFire public cloud. You can use the WildFire API to retrieve verdicts and analysis reports for the files. You can also specify a target analysis environment when you retrieve a packet capture through the WildFire API.

Recommended For You