Manual Upload of PowerShell Script to WildFire Fails from Unsupported File Type
19132
Created On 04/25/19 13:45 PM - Last Modified 04/26/19 15:16 PM
Symptom
Manual upload of a PowerShell Script to Wildfire fails with error "Unsupported File Type."
Environment
WildFire
Cause
File Type of a PowerShellsScript is "ASCII Text"
$ file script
script: ASCII text, with CRLF line terminators
NOTE: This normally happens because a download of a script from external sites like VT will save the file without extension so that the downloaded doesn't accidentally infect himself/herself. Please make sure to add the extension before uploading the script to wildfire for analysis.
Resolution
STEP 1: Add the appropriate extension for the script. This is required as the file type of the PowerShell script is "ASCII text" and WildFire will verify if the extension is correct before accepting a manual upload.
$ mv script script.ps1
$ file script.ps1
script.ps1: ASCII text, with CRLF line terminators
STEP 2: Manual upload of script.ps1 will be successful.
This solution is applicable for JS and VBS as well.
Additional Information
Manual upload of other samples like PE files will be successful even without an extension as WildFire will be able to detect the file type using this file header:
$ file sample
sample: PE32 executable (GUI) Intel 80386, for MS Windows
For additional information about WildFire, please reference this article: https://docs.paloaltonetworks.com/wildfire/8-1/wildfire-admin/wildfire-overview/wildfire-file-type-support.html