This is Joe Delio from the Palo Alto Networks community team, bringing you our Palo Alto Networks video tutorial. In today's video tutorial, I'll be talking with you about WildFire and what it is. What you'll learn from this video tutorial, what is WildFire, ways to deploy WildFire, WildFire concepts, and WildFire subscription requirements? Firstly, what is WildFire? WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing, signature-based detection, and blocking of malware. WildFire extends the capabilities of Palo Alto Networks next-generation firewalls to identify and block targeted and unknown malware. Next, let's look at a high-level WildFire decision workflow. Depending on how you can figure your firewall policy, how it can forward files to the WildFire cloud to analyze them, how it determines if something is a malware or virus or a malicious program that places these files in a virtual sandbox. It looks for any behavior, whether it's trying to transmit sensitive data off of the network, if it's exhibiting any command and control communication or if it's attempting to download any additional malware. It observes and detects over 100 malicious behaviors to do identify the malware. After it makes a decision, it will add to the threats against your research database. It then adds to the pattern database, then to the single-pass pattern match, and then the report and enforce your security policy. Next on to the different ways you can deploy WildFire. You can do it in a WildFire public cloud, a private cloud, or you can have a WildFire hybrid cloud. In a public cloud deployment, Palo Alto networks firewall forwards the files to a hosted WildFire environment that Palo Alto Networks owns and maintains. As WildFire detects new malware, it generates new signatures within 15-30 minutes. Firewall is equipped with a WildFire subscription can receive the new signatures within 15 minutes. Firewalls with the normal threat prevention subscription will receive the new signatures within the next antivirus signature update, which is traditionally within 24-48 hours. In a Palo Alto Networks private cloud deployment, Palo Alto Networks firewalls forward files to a WildFire-500 appliance that is located on your corporate network being used to host a private cloud analysis. The WildFire private cloud hosting on the local WildFire-500 appliance can receive and analyze files up to 100 different Palo Alto Networks firewalls. With the local sandboxing of malware provided by the WildFire private cloud, benign or grayware files never leave your network. In a hybrid cloud deployment, the single firewall can forward certain samples to the WildFire public cloud and other samples to a WildFire private cloud hosted by a WildFire-500 of WF-500 appliance. Configure the settings on the firewall to forward files to a WildFire analysis location, either a public cloud or a private cloud based on the file type, the application, and the transmission direction of the file, either uploaded or download. Now on to some WildFire concepts. We'll be talking about virtual sandbox, verdicts, file type analysis, e-mail link analysis, and then lastly, signatures. We can start off with the virtual sandbox. WildFire executes suspect files it receives in a virtual environment and observes the files' behavior for signs of malicious activities, such as changes to browser security settings, injection of code and other processes, modification of the files in the Windows system folder or domains that the sample it attempted to access. The WildFire public cloud also analyzes files across application versions in order to identify malware intended to uniquely target specific versions of client applications. The WildFire private cloud does not support multi-version analysis and does not analyze applications. Specific files are analyzed across several versions of the application. When the WildFire engine completes the file analysis, it generates a detailed forensic report and summarizes the observed behaviors and assigns a verdict of malware, benign or grayware to the file. Similarly, WildFire will extract links in e-mail messages and visits the links to determine if the corresponding Web page hosts any exploits. If Wildfire detects malicious behavior, it generates report and submits the URL to the PAN-DB and categorizes the URL as malware. WildFire includes the sandbox support for the following operating system environments. Microsoft XP 32-bit, Microsoft Windows 7 32-bit and Microsoft Windows 7 64-bit. Now on to Vertex. WildFire delivers verdicts to identify samples it analyzes as safe, malicious, or unwanted. Grayware is considered obtrusive but not malicious. If a file is benign, the sample is safe and it does not exhibit any malicious behavior. If a file is grayware, the sample does not pose a direct security threat but might display otherwise obtrusive behavior. Grayware files typically include adware, spyware, Browser Helper Objects, or BHOs. If it's malware, then the sample is considered malicious in nature or intent and possesses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools, rootkits, and botnets. For files identified as malware, WildFire generates and distributes a signature to prevent against future exposure to that threat. Next is file type analysis. A Palo Alto Networks firewall can be configured with a WildFire analysis profile in order to forward samples for WildFire analysis based on the file type. If the user downloads a file sample over a session that matches a security rule to which the WildFire analysis profiles attach, the firewall performs a file hash check with WildFire to determine if WildFire has previously analyzed the file. If the file is unknown, the firewall forwards it to WildFire. If the file has already been uploaded, it will just skip the file and show that in the logs. Here are the supported file types, APK, which are the Android application package, e-mail link, which are just traditional e-mail links inside of e-mail messages, Adobe Flash, Jar or Java Applets, MS Office or Microsoft Office files which include DOC, DOCX, XLS, XLSX, Microsoft Office Applications, PE, which are Portable Executable files. It can be object code, DLLs, and even fonts. Subscriptions not required to forward the portable executables for WildFire analysis, but it is required for all other supported file types and PDF files also. Next is e-mail link analysis. A Palo Alto Network firewall can extract HTTP or HTTPS links contained in SMTP and POP3 e-mail messages and forward the links to the WildFire, public or private clouds for analysis. Enable forwarding of unknown links contained in e-mails by configuring a WildFire analysis profile with the e-mail link file type. The firewall only extracts links and associated session information, sender, recipient, and subject from the e-mail messages that traverse the firewall. It does not receive, store or forward or even view the e-mail message. After receiving a link from a firewall, WildFire visits the link to determine the corresponding web page hosts any exploits. If WildFire determines that the page itself is benign or grayware, it will not generate a log. However, if it does detect malicious behavior on the page, the firewall returns a malicious verdict, and it can generate a detailed analysis report on the logs and report it to WildFire submissions log on the firewall. The log includes the e-mail header information, e-mail sender, recipient, and subject so that you can identify the message and delete it from the e-mail server or mitigate the threat if the e-mail has already been delivered or opened. It also adds the URL to the PAN-DB and categorizes the URL as malware. The firewall forwards email links to WildFire in batches of 100 e-mail links or every two minutes, depending on which limit is hit first. Each batch upload to WildFire counts as one upload towards the upload per minute capacity for the given firewall platform. If a link included in the e-mail corresponds to a download instead of a URL, the firewall forwards a file to WildFire for analysis only if a corresponding file type is enabled for WildFire analysis. Now on the signatures, WildFire can automatically generate a signature based on the malware payload of the sample and test it for accuracy and safety. Because a malware evolves rapidly, the signatures that WildFire generates will address multiple variants of the malware. As WildFire detects new malware, it generates new signatures within 15-30 minutes. Firewalls equipped with the firewall subscription can receive new signatures within fifteen minutes. Again, if you do not have WildFire subscription, signatures will be made available within 24-48 hours as part of the antivirus update for firewalls equipped with threat prevention subscription. As soon as a firewall downloads and installs a new signature, the firewall drops any files that contain that malware or the variant of the malware. Information gathered by WildFire during the analysis of the malware is used to fortify other threat prevention features, such as adding malware to your URLs to PAN-DB, generating DNS signatures, antivirus, and anti-spyware signatures. Palo Alto Networks also developed signatures for command and control traffic enabling the immediate disruption in the communication of any malware inside your network. Lastly, the WildFire subscription requirements. To receive the full benefits of the WildFire service, each firewall connected to the WildFire public cloud or private cloud must have a WildFire subscription, which includes the following: WildFire dynamic updates, as we stated before, these updates are generated within 15-30 minutes after the WildFire identifies a malicious sample. WildFire generates new malware signatures and distributes them in the WildFire dynamic updates which the firewall can pull every 15, 30, or 60 minutes. You can configure the firewall to take specific actions on malware signatures separate from the regular antivirus signature actions in the antivirus profile. The WildFire signatures delivered in the dynamic update will include signatures generated from malware detected in the file submitted to WildFire by Palo Alto Networks for WildFire customers not just the samples that your firewall sends the WildFire. Next is WildFire advanced file type support that allows a firewall to forward samples of the WildFire analysis based on the file type and to configure the firewall to extract forward links included in e-mail messages to the WildFire e-mail link analysis. Lastly is the WildFire API. Provides access to the WildFire API, which enables direct programmatic access to the WildFire service on Palo Alto Networks WildFire cloud or WF, WildFire-500 appliance. Use the WildFire API to submit files for analysis and to receive the subsequent WildFire analysis reports. The WildFire API supports up to 1,000 file submissions and up to 10,000 queries a day. Only firewalls with a WildFire subscription can forward files to a Wildfire, WF-500 appliance for private cloud analysis. Inside of the article on the live.paloaltonetworks.com, I will be having links for capacity information as well as information on signatures and benefits of the WildFire subscription. This concludes this week's video tutorial about what is WildFire. I hope this has helped you understand more about WildFire and look forward to the next video tutorial on how to configure WildFire and how to view the loss. [MUSIC] Thank you very much for watching. Have a great day. [MUSIC]
