Wildfire Cloud verdict is benign but still receiving Malware verdict alerts

Wildfire Cloud verdict is benign but still receiving Malware verdict alerts

8631
Created On 07/15/22 14:45 PM - Last Modified 12/16/25 14:49 PM


Symptom


  • Receiving multiple Wildfire 'malicious' alerts on a known benign file
  • Verified within Threat Vault that there are no signatures generated for the sample file 
  • After opening the TAC case, it was confirmed that the file is benign within the Wildfire Public Cloud and, yet, still receiving malicious verdicts even after new Wildfire content updates have been installed.

Environment


  • PAN-OS
  • WF500

Cause


When new Yara rules have been created and added for matching samples, each sample can lead to a new siggen pattern. In addition, when whitelisting samples that do not get properly synced to customers' on-premise WF500 appliances, the verdict remains malicious and the customer will still receive a malicious verdict on benign sample files.

Resolution


Flush Wildfire local content update via firewall's CLI (Option 1):

  • In PAN-OS 9.0
    • > delete content cache old-content
    • > delete content cache curr-content type all version [Hit tab to see the full list and delete each one]
    • Reboot the Device
    • Manually update the FW content again
  • In PAN-OS 10.0+
    • debug dataplane reset ctd wf-cache
    • debug dataplane show ctd wf-cache (used to verify the cache counter resets to 0)
    • No need for a device reboot


Download the dynamic content package from CSP and upload the package to the firewall (Option 2):

  • Download the latest AV, Applications and Threat, and Wildfire content packages from the Customer Support Portal
  • Manually import them into the firewall in the below order:
    1. AV Package
    2. Applications and Threats
    3. Wildfire Package
  • Reboot the firewall

            (Note: either option above will flush out the content package with the stale verdict)
For On-Premise Wildfire Appliance:

  • Should you have an on-prem Wildfire Appliance, the incorrect verdict could be cached on the appliance and would require a manual verdict flip of the sample hash file
  • Perform the below CLI command to manually flip the verdict:
    • > submit wildfire local-verdict-change comment test hash c323891a87a8c43780b0f2377de2efc8bf856f02dd6b9e46e97f4a9652814b5c verdict 0 (note: 0 indicates a benign sample; 1 indicates malware; 2 indicates grayware)
  • Verify the change

    • > show wildfire global verdict-change all details

      +------------------------------------------------------------------+---------+--------+---------------------+---------------+
      |                              SHA256                              | Verdict | Source |     Create Time     |    Comment    |
      +------------------------------------------------------------------+---------+--------+---------------------+---------------+
      | 6b4195e640a85ac32eb6f9628822a622057df1e459df7c17a12f97aeabc9415b |  0 -> 1 |  cli   | 2025-12-12 12:18:02 | test-verdict-flipped|
      +------------------------------------------------------------------+---------+--------+---------------------+---------------+

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wl0ECAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language