WildFire Submission [Logs] verdict is "malicious" and traffic is "allowed", while configured action is "blocked"
45099
Created On 07/16/20 04:12 AM - Last Modified 10/07/22 23:45 PM
Question
I have configured the Anti-Virus security profile action as "blocked/sinkhole" if the verdict is "malicious". Still, the WildFire submission report indicates a "malicious" entity was "allowed'.
Environment
- PAN-OS 8.1 and above.
- Palo Alto Firewalls.
- Threat Prevention License
- (Optional) WildFire License
Answer
There can be many reasons for such reporting, to understand the results of the Wildfire report correctly, the first step is to identify the filetype.
- WildFire can't block if the submissions are Elink.
- When an email traverses through a firewall using mail protocols, the Firewall parsed the http/s URLs from the body of the mail message. These links are called "email-links."
- By default, the extracted email links are queued locally in the firewall in batches of either (a)100 email-links or (b) a number of email links collected during a two-minute window. The batch of email-links is then forwarded to WildFire depending on whichever limit is hit first. The firewall doesn't store or forward the full email message.
- WildFire determines the URL verdict by using the URL-analysis database, and WildFire sends a copy of the report to the firewall. One can see this verdict on the WildFire submission logs as email-link was benign, malicious, or phishing.
- Note that the Antivirus and WildFire-virus block actions are carried out on WildFire supported files (for example, email attachments) but not on email-links.
- The network admin can take an action on WildFire reporting in advance. As there is a lead time before WildFire sends the verdict back and users can click on a malicious link by mistake, this link will be blocked by any one of the other protection profiles such as URL Filtering Anti-Spyware DNS or DNS Security.
- For PAN-OS >=10.0, URL Filtering Inline ML (Machine Learning) can help mitigate this window of opportunity. URL Filtering Inline ML.
- For more information see Email Link Analysis.
- If the file type is "LNK File", the traffic can't be blocked by the firewall.
- LNK files are supported for WildFire forwarding and sandboxing, but there is no current Antivirus support.
- The purpose is to provide coverage for Cortex XDR (Endpoint).
- You can configure File Blocking for LNK filetypes.
- If you need custom LNK blocking (a specific LNK file) you would need to create a custom signature using the file-data context here.
- Help creating custom signatures falls outside the scope of the PaloAlto Networks Support service offering.
- The file is unknown to WildFire.
- When a sample traversed from the Firewall, the sample itself was unknown for Wildfire. In that case, FW will upload the sample to Wildfire, and WF will generate a verdict and signature( if the verdict is malicious). It takes about 10 to 15 minutes to download the signature by WF dynamic update, no signature, no blocking.
- PAN-OS 10.0 or higher can mitigate this issue for PEs and PowerShell files with the help of WildFire Real-Time Signature Updates and WildFire Inline ML.
- Age-out or stale signatures
- When a sample( malicious file) associated with the Antivirus signature has not been recently observed in the wild, the signature is moved to 'replaced' (aged-out) status. That means we have the information about the file, however, the signature is not been included in the current AV package as it is not as popular.
- Old Anti-Virus package or WildFire package is not timely updated
- The signature was not present because the Antivirus or the WildFire-Virus packages were not timely updated via Dynamic Updates
- DSRI is enabled in the Security Policy, or
- The Threat Prevention (Antivirus feature) or the WildFire (WildFire-Virus and WildFire Inline ML features) license expired.
- Configuration issue:
- In the Firewall configuration, Anti-virus detection is protocol-based, and it is common misconfiguration that action for one protocol is "alert" while the other is blocked.
- AntiVirus profile has an exception for the signature, which will override the default action.
- CTD inspection queue is full:
- The CTD inspection queue was full at the time when the sample was passed the inspection was required. To prevent this, the following options should be unchecked under Device -> Setup -> Content-ID -> Content-ID Settings:
- Forward segments exceeding TCP content inspection queue (uncheck)
- Forward datagrams exceeding UDP content inspection queue (uncheck)
- The CTD inspection queue was full at the time when the sample was passed the inspection was required. To prevent this, the following options should be unchecked under Device -> Setup -> Content-ID -> Content-ID Settings:
- File size:
- The file size is bigger than the supported file size. The supported size for the PE file is 50MB. More information is here.
Additional Information
- https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90/increased-wildfire-file-forwarding-capacity There is a product defect (PAN-79640) that can intermittently display a "high severity" file with "allow action" in the WildFire Submission Logs for files that were actually blocked. The firewall intermittently logged incorrect actions for WildFire submissions and reports in 8.0 (PAN-79640)
- Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os-8-1-8-addressed-issues.html - PAN-79640 is targeted to be resolved with PAN-OS 8.1.8, 9.0.13, and 9.1.7. PAN-OS 10.0 is not affected.
- Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.