This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GabsOliv
Contributor
‎2019-05-13 04:53 PM

Any idea for Palo Alto Sample Malware File not deteceted on threat emulation

Hi all

Was testing threat emulation on SMB appliance,  using competition files.

"No threats found in file downloaded by 10.10.6.100 from http://wildfire.paloaltonetworks.com/publicapi/test/pe"Capture_1.PNG

 

Capture_2.PNG

 Any idea How can we explain to the client that a file is malware on the blue vendor, and here is considered benign.

 

Have a nice day

 

0 Kudos
2 Replies
Ryan_St__Germai
Advisor
‎2019-05-13 06:24 PM

Most likely because Palo Alto wrote a signature within wildfire to detect this exact file. I ran it through any.run, a detonation service, and it doesn't exhibit any malicious behaviors. Here is the link: https://app.any.run/tasks/a2044642-b16f-499c-822a-1a976b57e5a1

Any vendor will detect their own test files. CheckPoint has something similar for their services as well. 

PhoneBoy
Admin
Admin
‎2019-05-13 08:24 PM
In response to Ryan_St__Germai

Bingo, and it shows a fundamental design flaw in Wildfire.
From PAN's documentation on their latest OS: https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/about-wildfire.html (emphasis mine):

The WildFire Analysis Environment identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to then detect and block the malware. When a Palo Alto Networks firewall detects an unknown sample (a file or a link included in an email), the firewall can automatically forward the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly-discovered malware, and makes the latest signatures globally available every five minutes. All Palo Alto Networks firewalls can then compare incoming samples against these signatures to automatically block the malware first detected by a single firewall.

Sure, we could create a signature to block their non-malicious test file.
However, it'd be an Anti-Virus signature, exactly the same way PAN blocks files detected as malicious by Wildfire.

If you subject our demo doc to Threat Emulation, a report will be generated.
However, you will see blocks by URL Filtering and/or Anti-Virus as well 🙂
It mentions "Reputation" as well as an "Exploited Macro" as the reasons for blocking.
It's not actually a malicious file, of course.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events