Verdict Mismatch Between WildFire Submission Log and WildFire Analysis Report

Verdict Mismatch Between WildFire Submission Log and WildFire Analysis Report

11951
Created On 04/25/19 13:00 PM - Last Modified 05/06/19 15:13 PM


Symptom


Verdict shows up as malware for a sample in Monitor > WildFire Submission Logs. The verdict for the same sample upload shows as Benign on reviewing the WildFire report from the cloud later (https://wildfire.paloaltonetworks.com).

Environment


WildFire

Cause


This happens because of False Positive in the WildFire Analysis. WildFire incorrectly gives the verdict as Malware. The sample and log are written locally on the firewall (Monitor > Wildfire Submission). WildFire Report from cloud will also show the verdict as Malware at this stage.

Palo Alto Networks Researchers later find out about the False Positive and flips the verdict of this sample as Benign. WildFire Submission Log is written in the firewall cache, and there is no option to change it to Benign, so this remains as Malware. Once flipped, the verdict in the WildFire Report from the cloud will change to Benign.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLluCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language