Friday, 20 October 2017

How Wildfire works?

--> Wildfire technology uses virtual sandboxing to prevent zero-day attacks and malware attacks.

--> Wildfire executes the received suspected files in a virtual environment and observes files behavior signs of malicious activities, such as 

i) changes to browser security settings

ii) injection of code into other processes

iii) Modification of files in the windows system folder

iv) Domains that the sample attempted access

--> When the wildfire engine completes file analysis, it generates report with observed behaviors and assigns a verdict to the file such as,

i) Benign --- The received file is safe and does not have any malware.

ii) Grayware -- The received file does not have direct security threat but might display otherwise obstructive behavior. Grayware typically includes adware, spyware and Browser Helper Objects.

iii) Malware - The received file is identified as malware and poses a security threat. Malware can include viruses, worms, trojans, remote access tools (RATs), rootkits and botnets.

--> Wildfire includes sandbox support for the following operating system environments,

i) Windows XP

ii) Windows 7 32- bit and 64-bit

--> For every file which is identified as malware, wildfire generates and distributes a signature to prevent future exposure to the threat.

--> A Palo Alto networks firewall can be configured with a wildfire analysis profile in order to forward samples for wildfire analysis based on file type.




--> If a user downloads the file sample over a session that matches the security rule to which the wildfire analysis profile is attached.



--> The firewall performs a file hash check with wildfire to determine if wildfire has previously analyzed the file.

--> Wildfire detects malware in network and email related traffic.

--> Once Wildfire detects malware it generates signature within 15-30 minutes.

--> Firewall downloads and installs the new signature, the firewall drops any files that contain that malware.

--> Palo Alto firewall networks also develop signatures for command and control traffic, enabling immediate disruption in the communications of any malware inside the network.

No comments:

Post a Comment