Why is WF-500 generating a signature for the WildFire test PE file?
273
Created On 12/25/22 02:37 AM - Last Modified 10/17/25 04:41 AM
Question
Why is WF-500 generating a signature for the WildFire test PE file?
admin@WF-500> show wildfire global signature-status sha256 equal 1d62d1d5cf027299383a0c0eaab2493f3fc82e05e85b81ace86d1bda115ba208 Signature Name: Virus/Win32.WPCGeneric.a Current Status: released Release History: +---------------+---------------------+---------+-------------+----------+ | Build Version | Timestamp | UTID | Internal ID | Status | +---------------+---------------------+---------+-------------+----------+ | 1 | 2022-08-28 18:11:02 | 5000001 | 1 | released | +---------------+---------------------+---------+-------------+----------+(Please note that the hash value will vary.)
Environment
WF-500
Answer
By right, WF-500 should not generate a signature for the WildFire test PE files, however, it actually does. Palo Alto Networks is working on the fix.
The workaround would be either to set an exception on the firewall or to disable the signature on WF-500.
When running the commands below, please change the hash value of the WildFire test PE file accordingly.
admin@WF-500> show wildfire local latest samples limit 200 days 7 Latest samples information: +------------------------------------------------------------------+---------------------+-----------+-----------+--------------+-----------+-------------------+ | SHA256 | Create Time | File Name | File Type | File Size | Malicious | Status | +------------------------------------------------------------------+---------------------+-----------+-----------+--------------+-----------+-------------------+ | 1d62d1d5cf027299383a0c0eaab2493f3fc82e05e85b81ace86d1bda115ba208 | 2022-08-28 17:59:23 | | PE | 55,296 | | download complete | +------------------------------------------------------------------+---------------------+-----------+-----------+--------------+-----------+-------------------+ admin@WF-500> disable wildfire sample-signature sha256 equal 1d62d1d5cf027299383a0c0eaab2493f3fc82e05e85b81ace86d1bda115ba208 Failed to run /usr/bin/python /usr/local/bin/wf20/signaturequery/pan_disable_sample_signature.py 1d62d1d5cf027299383a0c0eaab2493f3fc82e05e85b81ace86d1bda115ba208 admin@WF-500> show wildfire global signature-status sha256 equal 1d62d1d5cf027299383a0c0eaab2493f3fc82e05e85b81ace86d1bda115ba208 Signature Name: Virus/Win32.WPCGeneric.a Current Status: disabled Release History: +---------------+---------------------+---------+-------------+----------+ | Build Version | Timestamp | UTID | Internal ID | Status | +---------------+---------------------+---------+-------------+----------+ | 1 | 2022-08-29 22:01:02 | 5000001 | 1 | disabled | | 1 | 2022-08-28 18:11:02 | 5000001 | 1 | released | +---------------+---------------------+---------+-------------+----------+
Impact:
Even if the signature is generated and the WildFire test PE file is blocked, the WildFire upload test using the WildFire test PE file works fine, e.g. either the file itself or the session information is uploaded to WF-500 and the WildFire submission log is generated.
Additional Information
See also:
How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threatshttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC
How to Test WildFire with a Fake Malicious File
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloTCAS