WildFire submission log is generated with "Benign" verdict when an unknown sample is classified as Malware by Advanced WildFire
928
Created On 12/12/22 07:16 AM - Last Modified 11/07/25 19:17 PM
Symptom
When an unknown sample (WildFire has never seen it before) gets classified as "Malware" by Advanced WildFire (AWF), the firewall generates a WildFire submission log with "Benign" verdict.
In case the notification setting on the WildFire portal (Settings > Configure Alerts) is configured not to send email alert for "Benign" samples, then the user won't receive the email alert for that sample.
Environment
Palo Alto Networks Next Generation Firewalls with Advanced WildFire license.
Cause
This is working as designed.
Advanced WildFire (AWF) is a brand new infrastructure. It works on a different virtual machine (hypervisor) from the existing ones (VM1 & VM2). AWF works only when VM1 & VM2 classifies the sample as "Benign".
The Firewall receives the report at the time when VM1 & VM2 classifies the sample as "Benign". Thus, the WildFire submission log is generated with "Benign" verdict.
After that, the sample analysis is performed by AWF. If the sample is found to be "Malware", then the WildFire updates the verdicts with "Malware". The new verdict ("Malware") is reflected to the report as seen in the picture below.
The verdict of the WildFire submission log cannot be updated because it was already generated.
If the same file is traversing through the firewall after the verdict was changed, the WildFire submission log is generated with "Malware" verdict because WildFire has already seen the sample and known its verdict.
Also, an email alert is generated by WildFire cloud when it's configured to send alerts for "Malware" samples.