App.exe is Not Forwarded to WildFire from the Firewall

App.exe is Not Forwarded to WildFire from the Firewall

0
Created On 04/01/19 10:33 AM - Last Modified 07/19/22 23:14 PM


Symptom


App.exe is not forwarded for WildFire analysis by the firewall.

Cause


1) We can see that the Portable Executable (PE) file is a supported file type for WildFire analysis:
https://docs.paloaltonetworks.com/wildfire/8-1/wildfire-admin/wildfire-overview/wildfire-file-type-support.html

2) Upon closer look of App.exe in Endpoint, we can see that App.exe is a text file even though it has a .exe extension and the text file is not a supported file type for WildFire analysis:
$ file App.exe
App.exe: ASCII text, with no line terminators

3) We detect .exe files based on file header information and not based on the extension. For a genuine .exe file, we can see that the MZ header is present:
$ xxd sample.exe | head -2
00000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000  MZP.............
00000010: b800 0000 0000 0000 4000 1a00 0000 0000  ........@.......

$ file sample.exe
sample.exe: PE32 executable (GUI) Intel 80386, for MS Windows
 

Resolution


This is working as expected as the text file is not a supported file type for WildFire analysis.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLLNCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail