What does WildFire file verdict of "unknown" indicate?
10944
Created On 02/21/21 08:01 AM - Last Modified 10/31/25 15:55 PM
Question
Why some file status in WildFire is marked as "unknown"?
Environment
- WildFire(WF) cloud
- All PAN-OS
- Any PAN product that uploads the file on WildFire
Answer
There are two possible reasons why a file sample (hash) may have an "unknown" verdict:
(a) If the sample is entirely new to WildFire, it will receive an "unknown" verdict. In such cases, you have two options: upload the sample to the WildFire portal, or pass it to the support team for uploading.
(b) The second reason is similar but with a slight variation. When a file lacks any verdict from WildFire, it is categorized as "unknown." However, in this scenario, the file has already passed through the Firewall and undergone initial analysis by the Local analysis module, such as Traps, until it receives a WildFire verdict.
As the next step, the file should be uploaded to the cloud, where WildFire will determine the final verdict. This WildFire verdict will supersede the verdict obtained from the local analysis. In some instances, if the file upload fails to reach the WildFire cloud and no sandbox analysis is performed, the file will receive an "unknown" verdict.
The failure of file upload to WildFire can occur due to reaching the daily upload limit, network issues, incorrect API key usage, or other factors. It's important to remember that if the file is an unsupported file type.
(a) If the sample is entirely new to WildFire, it will receive an "unknown" verdict. In such cases, you have two options: upload the sample to the WildFire portal, or pass it to the support team for uploading.
(b) The second reason is similar but with a slight variation. When a file lacks any verdict from WildFire, it is categorized as "unknown." However, in this scenario, the file has already passed through the Firewall and undergone initial analysis by the Local analysis module, such as Traps, until it receives a WildFire verdict.
As the next step, the file should be uploaded to the cloud, where WildFire will determine the final verdict. This WildFire verdict will supersede the verdict obtained from the local analysis. In some instances, if the file upload fails to reach the WildFire cloud and no sandbox analysis is performed, the file will receive an "unknown" verdict.
The failure of file upload to WildFire can occur due to reaching the daily upload limit, network issues, incorrect API key usage, or other factors. It's important to remember that if the file is an unsupported file type.
Additional Information
Question: Why I can't see the report for an unknown file type in WildFire?
Answer: As we know a file status is 'unknown' when a file has a local analysis and that file is not in the WildFire cloud. It means this file never made to sandbox and no analysis was run on this file, hence there is no report on the file.