Multiple Download of a same Script File detected as Malware in Wildfire not getting Blocked by Wildfire/Antivirus Threat Prevention Signature
Symptom
Same malicious script file (VBA in this case) is traversing through the firewall multiple times throughout the day. Wildfire is detecting this sample as malware all the time with action 'Allow' and severity 'High'. This is not getting blocked by the Wildfire/ Antivirus Threat Prevention signatures event hough Wildfire/Antivirus signatures are set to 'Block' in the security profile and attached to security policy.
Resolution
This is working as expected:
-
Find below the link to file types supported for Wildfire Analysis:
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-file-type-support
https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud-features/html-application-and-link-file-analysis -
Review the below document to find the file types for whcih we support Wildfire and Antivirus Threat Prevention Signatures:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures
-
Wildfire upload and verdict generation is supported for Script Files, however threat prevention signature generation is not supported for scripts.
The idea of Wildfire support for these files even though signature generation is not supported is to let the customers know that these malicious files have passed through the firewall but not blocked as action 'allow' in Wildfire Submission log. The severity is set to 'High' as these files have not been blocked by the firewall.
At this stage customers should check XDR Agents or other end-point and review if these files have been blocked by end-point protection and/or take necessary steps if not blocked. -
The scope of Wildfire is to provide verdict for script files, we will also classify any malicious URLs that's present in the script as Malware/C2 in PAN-DB (And also generate DNS Signatures). DNS Security and URL Filtering feature can be leveraged to block connections to these URLs.
Check the below document as well that explains the coverage:
https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud-features/script-sample-support
"When a malicious script is discovered, the WildFire cloud generates and distributes C2 and DNS signatures to firewalls to prevent successful script-based attacks" -
This scenario is applicable for other file types like LNK as well for which we don't support signature generation.
Additional Information
On an additional note, Wildfire Inline ML supports blocking of PS and Shell scripts:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/wildfire-inline-ml