1. Overview

WildFire is Palo Alto Networks' malware detection engine, providing malware detection for both known and unknown threats.

To check a file verdict, the file hash is calculated and sent to WildFire for a verdict. If a file with the specified hash was already uploaded to WildFire for a verdict, an instantaneous verdict is provided. Unknown files can be sent to WildFire for full analysis, including machine based static analysis, and dynamic analysis that includes detonation of the file in a sandbox, and behavioral analysis.

Currently WildFire analysis for Prisma Cloud is provided without additional costs, but it may be charged for in future releases. The service is currently available to Prisma Cloud for malware analysis as part of containers CI and runtime protection for containers and hosts.

WildFire support the following verdict types: benign, malware, grayware, and unknown:

  • Benign —- The sample is safe and does not exhibit malicious behavior.

  • Grayware —- The sample does not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs).

  • Malicious — The sample is malware and poses a security threat. Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, and botnets.

  • Unknown — The file has not previously been uploaded to Wildfire for analysis. Full analysis can be performed on file upload.

Configuration of the WildFire malware analysis service is done via *Manage > System > WildFire:

  • Wildfire malware detection — Enable WildFire malware detection.

  • Status — Provides indication on current activation state with WildFire, and is updated upon successful activation of the Wildfire service.

  • WildFire cloud region — The WildFire service is available in multiple locations to meet local privacy requirements and reduce latency for communication to the service.

As all defenders connected to a given console must use the same Wildfire service, you should select the WildFire service closest to where most defenders are, or based on your privacy requirements.

Defenders must be able to access the relevant WildFire service configured over https (port 443) based on the following URLs:

Global (US): wildfire.paloaltonetworks.com Europe (netherlands): eu.wildfire.paloaltonetworks.com Japan: jp.wildfire.paloaltonetworks.com Singapore: sg.wildfire.paloaltonetworks.com United Kingdom: uk.wildfire.paloaltonetworks.com Canada: ca.wildfire.paloaltonetworks.com

For WildFire activation and license renewals, the console must be able to access the IS server at https://intelligence.twistlock.com.

  • Use WildFire for runtime protection — Enable WildFire malware scanning in runtime for containers and hosts. Additional configuration is available under the rule Anti-malware tab, to select the preferred effect per rule.

  • Use WildFire for CI compliance checks — Enable WildFire malware scanning for containers CI checks. Malware scan by WildFire is done as part of Twistlock labs image check (ID 422).

  • Upload files with unknown verdicts to WildFire — Determines whether files with unknown verdict will be sent to WildFire for full analysis. When off, WildFire will only provide verdict for files that have been uploaded to WildFire via a different client.

  • Treat grayware as malware — Use a more restrictive approach and treat files with grayware verdict as malware.