Verdict Changes
Table of Contents
8.0
Expand all | Collapse all
-
- Mach-O Support for WildFire Inline ML
- Advanced WildFire Public Sector Cloud
- Advanced WildFire Government Cloud
- WildFire Spain Cloud
- WildFire Saudi Arabia Cloud
- WildFire Israel Cloud
- WildFire South Korea Cloud
- WildFire Qatar Cloud
- WildFire France Cloud
- WildFire Taiwan Cloud
- WildFire Indonesia Cloud
- WildFire Poland Cloud
- WildFire Switzerland Cloud
- Advanced WildFire Support for Intelligent Run-time Memory Analysis
- Shell Script Analysis Support for Wildfire Inline ML
- Standalone WildFire API Subscription
- WildFire India Cloud
- MSI, IQY, and SLK File Analysis
- MS Office Analysis Support for Wildfire Inline ML
- WildFire Germany Cloud
- WildFire Australia Cloud
- Executable and Linked Format (ELF) Analysis Support for WildFire Inline ML
- Global URL Analysis
- WildFire Canada Cloud
- WildFire UK Cloud
- HTML Application and Link File Analysis
- Recursive Analysis
- Perl Script Analysis
- WildFire U.S. Government Cloud
- Real Time WildFire Verdicts and Signatures for PDF and APK Files
- Batch File Analysis
- Real Time WildFire Verdicts and Signatures for PE and ELF Files
- Real Time WildFire Verdicts and Signatures for Documents
- Script Sample Analysis
- ELF Malware Test File
- Email Link Analysis Enhancements
- Sample Removal Request
- Updated WildFire Cloud Data Retention Period
- DEX File Analysis
- Network Traffic Profiling
- Additional Malware Test Files
- Dynamic Unpacking
- Windows 10 Analysis Environment
- Archive (RAR/7z) and ELF File Analysis
- WildFire Analysis of Blocked Files
- WildFire Phishing Verdict
Verdict Changes
You can now use the WildFire appliance to
change a verdict for a sample. Verdict changes apply only to those
samples submitted to the WildFire appliance, and the verdict for
the same sample remains unchanged in the WildFire global cloud.
The WildFire private cloud content
package is updated to reflect any verdict changes that you
make (on the firewall, select DeviceDynamic UpdatesWF-Private to
enable WildFire private cloud content updates). When you change
a sample verdict to malicious, the WildFire appliance generates
a new signature to detect the malware and adds that signature to
the WildFire private cloud content package. When you change a sample
verdict to benign, the WildFire appliance removes the signature
from the WildFire private cloud content package.
- Change a sample verdict:
admin@WF-500# submit wildfire local-verdict-change hash <sha256 hash> comment <comment> verdict <verdict>
- hash—Provide the SHA-256 hash of the file for which you want to change the verdict.
- verdict—Enter the new file verdict: 0 indicates a benign sample; 1 indicates malware; 2 indicates grayware, and 4 indicates phishing.
- comment—Include a comment to describe the verdict change.
- See samples with changed verdicts:
admin@WF-500# show wildfire global local-verdict-change all | <sha256 hash>
- all—See all samples with changed verdicts. The output includes the original verdict and the new verdict.
- <sha256 hash>—Check a specific sample for a changed verdict. The output includes the original verdict and the new verdict.
- Use the API to change a sample verdict:Make a request to the new resource submit/local-verdict-change and include the API key, the file hash, the new verdict you want to apply to the sample, and a descriptive comment of the change:
curl -X POST -H "Content-Type: multipart/form-data" -F "apikey=apikey" -F "hash=sha-256-hash" -F "verdict=0" -F "comment=comment-for-verdict-change" "https://wf-500/publicapi/submit/local-verdict-change"
Use the following parameters when changing a WildFire appliance verdict for a file:- apikey—Enter your API key.
- hash—Provide the SHA-256 hash of the file for which you want to change the verdict.
- verdict—Enter the new file verdict: 0 indicates a benign sample, 1 indicates malware, 2 indicates grayware, and 4 indicates phishing.
- comment—Include a comment to describe the verdict change.
The following XML response verifies a successful verdict change. Example:<wildfire> <body>verdict is changed (old verdict: 0, new verdict:1)</body> <headers/> </wildfire>
- Use the API to see samples with changed verdicts:Make a request to the new resource get/verdicts/changed and include the API key and a start date for the query. Samples with changed verdicts from the specified start date to the present date is shown in this list:
curl -F "apikey=apikey" -F "date=YYYY-MM-DD" "https://wf-500/publicapi/get/verdicts/changed"
The verdict element value can be one of the following:- 0—benign
- 1—malware
- 2—grayware
- 4—phishing
The XML response contains the WildFire verdict along with the related hash values for each sample with changedverdicts within the specified time-frame. Example:<wildfire> <get-verdict-info> <sha256>afe6b95ad95bc689c356f34ec8d9094c495e4af57c932ac413b65ef132063acc</sha256> <verdict>1</verdict> <md5>0e4e3c2d84a9bc726a50b3c91346fbb1</md5> </get-verdict-info> ........... <get-verdict-info> <sha256>9739eb4207fe251d40f05187cbfd16081f97b246ebcc6010660244a84a9391b0</sha256> <verdict>2</verdict> <md5>481e625e50211efcaf6edb8f54f8cf83</md5> </get-verdict-info> </wildfire>