Why does WildFire analysis show WindowsXP (Obsolete) and Windows7 (Obsolete) and not Windows10?
11129
Created On 03/30/20 15:13 PM - Last Modified 07/22/24 18:35 PM
Question
Why does WildFire analysis show WindowsXP (Obsolete) and Windows7 (Obsolete) and not Windows10?
Answer
Why does WildFire analysis show WindowsXP (Obsolete) and Windows7 (Obsolete) and not Windows10?
Wildfire actually does have Windows 10 within the Wildfire sandbox, but most files end up being analyzed primarily by our Windows XP and Windows 7 VMs. The reason for this is because the WildFire research team identified an issue when analyzing ms-office, jar, & flash files within Windows 10; it lessened the opportunity for WildFire to successfully execute an attack. As a result, most Windows based files will be evaluated by the Windows 7 and XP images.Since most malware affecting Windows 10 will also affect Windows 7 it's still a fairly reliable image to use until the same level of effectiveness with Windows 10 may be attained, as we have with Windows 7. The Palo Alto Networks product team continues to monitor and investigate the opportunity to analyze additional supported file types, and as we find consistent methods to do this we add them to the Wildfire environment. As the threat landscape is constantly changing it's difficult to always stay at the forefront of the latest threats, but as the Wildfire AI logic improves new features will be added to the Wildfire sandbox.
Autofocus may be used to see any of your samples evaluated by the Windows 10 image. To do this, perform an advanced search in Autofocus and select the following conditions: Analysis Environment is Windows 10 x64, Flash 22, Adobe Reader 11, Office 2010.
Alternatively, a UI Query can be performed using the following conditions:
{
"operator": "all",
"children": [
{
"field": "sample.tasks.platform",
"operator": "is",
"value": "Windows 10 x64, Flash 22, Adobe Reader 11, Office 2010",
"trySubmit": true
}
]
}
"operator": "all",
"children": [
{
"field": "sample.tasks.platform",
"operator": "is",
"value": "Windows 10 x64, Flash 22, Adobe Reader 11, Office 2010",
"trySubmit": true
}
]
}
Any of these searches will net results for any samples tested in the Windows 10 environment. There is another Windows 10 Environment but it's just a base Windows 10. Windows 10 is currently only being used for 64bit PE files. The older VM's are still able to accurately determine correct verdicts as they have been customized, along with static analysis and machine learning, so there is little concern about WF missing verdicts.
Additional Information
Relevant Articles:
Analysis Environment
Support for Windows 10 Analysis Environment
Windows 10 Analysis Environment