1. Overview

WildFire is Palo Alto Networks' malware detection engine, providing malware detection for both known and unknown threats.

Currently Wildfire analysis is provided without additional costs, but this may change in future releases. The service is currently available to Prisma Cloud for malware analysis as part of containers CI and runtime protection for containers and hosts. Access to WildFire is provided as a new subscription that is specific to Prisma Cloud Compute, and will not effect any existing WildFire subscriptions.

To check a file verdict, the file hash is calculated and sent to WildFire for a verdict. If a file with the specified hash was already uploaded to WildFire for a verdict, an instantaneous verdict is provided. Unknown files can be sent to WildFire for full analysis, including machine based static analysis, and dynamic analysis that includes detonation of the file in a sandbox, and behavioral analysis.

WildFire support the following verdict types: benign, malware, grayware, and unknown:

  • Benign —- The sample is safe and does not exhibit malicious behavior.

  • Grayware —- The sample does not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs).

  • Malicious — The sample is malware and poses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, and botnets.

  • Unknown — The file has not previously been uploaded to Wildfire for analysis. Full analysis can be performed on file upload.

Configuration of the WildFire malware analysis service is done via *Manage > System > WildFire:

  • Wildfire malware detection — Enable WildFire malware detection.

  • Status — Provides indication on current activation state with WildFire, and is updated upon successful activation of the Wildfire service.

  • WildFire cloud region — The WildFire service is available in multiple locations to meet local privacy requirements and reduce latency for communication to the service.

As all defenders connected to a given console must use the same Wildfire service, which would be used both for file verdicts and upload of files for full analysis. You should select the WildFire service closest to where most defenders are, or based on your privacy requirements.

Defenders must be able to access the relevant WildFire service configured over https (port 443) based on the following URLs:

  • Global (US): wildfire.paloaltonetworks.com

  • Europe (netherlands): eu.wildfire.paloaltonetworks.com

  • Japan: jp.wildfire.paloaltonetworks.com

  • Singapore: sg.wildfire.paloaltonetworks.com

  • United Kingdom: uk.wildfire.paloaltonetworks.com

  • Canada: ca.wildfire.paloaltonetworks.com

For WildFire activation and license renewals, the console must be able to access the IS server at https://intelligence.twistlock.com.

  • Use WildFire for runtime protection — Enable WildFire malware scanning in runtime for containers and hosts. Additional configuration is available under the rule Anti-malware tab, to select the preferred effect per rule.

  • Use WildFire for CI compliance checks — Enable WildFire malware scanning for containers CI checks. Malware scan by WildFire is done as part of Twistlock labs image check (ID 422).

  • Upload files with unknown verdicts to WildFire — Determines whether files with unknown verdict will be sent to WildFire for full analysis. When off, WildFire will only provide verdict for files that have been uploaded to WildFire via a different client.

  • Treat grayware as malware — Use a more restrictive approach and treat files with grayware verdict as malware.

Currently Prisma Cloud Compute uses WildFire for file verdicts only in the following scenarios:

  • Hosts runtime:

    • ELF files written to a linux host file system in runtime, which are not deployed via a package manager.

    • Files must be smaller than 100MB (WildFire limit)

  • Container runtime / CI:

    • ELF files written to a linux container file system in runtime.

    • Shared objects are not examined via WildFire.

    • File must be smaller than 100MB (WildFire limit).

You can submit up to 5000 files per day, and get up to 50,000 verdicts on your submissions to the WildFire service.
Wildfire is supported on Linux only. Windows containers and hosts aren’t currently supported.