Grayware Verdict in WildFire

Want some help in going through the WildFire logs? Are you flooded by the number of WildFire events? With this feature, introduced in PAN-OS 7.0, the events are clearly separated for grayware and malware, allowing the response team to focus on the real malware.

Prior to PAN-OS 7.0, the majority of grayware (ad-supported software, browser toolbars, etc.) would trigger malicious looking behavior in WildFire. This behavior distracts from the real malware and the events you do want to see get lost in the noise.  Also, prior to PAN-OS 7.0, these samples got the 'benign' verdict to seperate them from the actual malware samples.

Starting in PAN-OS 7.0, we introduced the new grayware verdict to clearly identify samples that behave like malware but have no malicious intent.

This verdict allows the administrator to quickly distinguish malware samples from grayware, and to take action accordingly.

Contrary to malware samples, no AV-signatures are generated for grayware.

New, since PAN-OS 7.0, is the setting 'Report Grayware Files' under Device tab > Setup > WildFire as seen in the screenshot below :

Report Grayware Files

When the above option is enabled (disabled by default), files analyzed by WildFire that are determined to be grayware will appear in the Monitor tab > WildFire Submissions log.

Below is an example of such a grayware verdict in the WildFire Submissions Log and also the Detailed Log View :

WildFire Submissions Log

Detailed Log View/WildFire Analysis Report

In addition, we also added the new grayware option to the 'Suggested verdict' drop down menu in case you find a 'Benign' or 'Malware' verdict and you want to change it to 'Grayware':

Report Incorrect Verdict Grayware option