Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Any idea for Palo Alto Sample Malware File not deteceted on threat emulation

Hi all

Was testing threat emulation on SMB appliance,  using competition files.

"No threats found in file downloaded by 10.10.6.100 from http://wildfire.paloaltonetworks.com/publicapi/test/pe"Capture_1.PNG

 

Capture_2.PNG

 Any idea How can we explain to the client that a file is malware on the blue vendor, and here is considered benign.

 

Have a nice day

 

0 Kudos
2 Replies
Highlighted

Most likely because Palo Alto wrote a signature within wildfire to detect this exact file. I ran it through any.run, a detonation service, and it doesn't exhibit any malicious behaviors. Here is the link: https://app.any.run/tasks/a2044642-b16f-499c-822a-1a976b57e5a1

Any vendor will detect their own test files. CheckPoint has something similar for their services as well. 

Highlighted
Admin
Admin

Bingo, and it shows a fundamental design flaw in Wildfire.
From PAN's documentation on their latest OS: https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/about-wildfire.html (emphasis mine):

The WildFire Analysis Environment identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to then detect and block the malware. When a Palo Alto Networks firewall detects an unknown sample (a file or a link included in an email), the firewall can automatically forward the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly-discovered malware, and makes the latest signatures globally available every five minutes. All Palo Alto Networks firewalls can then compare incoming samples against these signatures to automatically block the malware first detected by a single firewall.

Sure, we could create a signature to block their non-malicious test file.
However, it'd be an Anti-Virus signature, exactly the same way PAN blocks files detected as malicious by Wildfire.

If you subject our demo doc to Threat Emulation, a report will be generated.
However, you will see blocks by URL Filtering and/or Anti-Virus as well 🙂
It mentions "Reputation" as well as an "Exploited Macro" as the reasons for blocking.
It's not actually a malicious file, of course.