WildFire: Modern Malware Protection​

Modern malware is at the heart of many of today's most sophisticated network attacks, and is increasingly customized to avoid traditional security solutions. Palo Alto Networks has developed an integrated approach that addresses the full malware lifecycle from preventing infections, identifying unknown or targeted malware as well as pinpointing and disrupting any active infections. Palo Alto Networks WildFire engine exposes targeted and unknown malware through direct observation in a virtual environment, while the next-generation firewall ensures full visibility and control of all traffic including tunneled, evasive, encrypted and even unknown traffic.

WildFire detection of unknown and targeted malware.

When the firewall encounters an unknown .EXE or .DLL that has been delivered by any application, even those that are encrypted with SSL, the file can be submitted to the WildFire virtualized sandbox, where Palo Alto Networks can directly observe more than 70 malicious behaviors that can reveal the presence of malware. Submissions can be made manually or automatically based on policy.

Click on image to enlarge

Signatures to halt attacks and prevent further infection

When a sample is identified as malware, the sample is passed on to WildFire's signature generator, which automatically generates a signature for the sample and tests it for accuracy. The new signature is then distributed in the next content update. Palo Alto Networks also develops signatures for the all-important command and control traffic, enabling staff to immediately disrupt the communications of any malware inside the network.

WildFire intelligence and forensics

In addition to providing protection, administrators have access to a wealth of actionable information about the detected malware through the WildFire portal. A detailed behavioral report of the malware is produced, along with information on the user that was targeted, the application that delivered the malware, and all URLs involved in the delivery or phone-home of the malware.



Integration of firewall and the cloud

WildFire makes use of a customer's on-premises firewalls in conjunction with Palo Alto Networks cloud-based analysis engine to ensure in-line performance, while using the cloud to deliver the fastest protections for all enterprise locations.

Click on image to enlarge

Controls applications used for botnet propagation and command and control

Organizations can use the application control enabled by App-ID to deploy firewall policies that control those applications that may be used by botnets as propagation channels or for command and control. Examples include:

  • Block P2P and IM applications such as MSN which have been known to propagate botnets.
  • Block known botnet command and control applications (e.g., IRC)
    * Control, inspect and monitor those applications that are emerging as command and control channels (Twitter, Gmail, Google Docs).

Prevents the propagation of known botnets

The threat prevention engine can identify and block a wide range of known botnets, such as Dark Energy and Rustock while scheduled threat signature updates ensure that newly discovered botnets are also identified and blocked.

Quickly determine which machines may be bot infected

The behavioral botnet report analyzes a range of datapoints including unknown applications, IRC traffic, malware sites, dynamic DNS, and newly created domains and the results are displayed as a list of potentially infected hosts that can be investigated as members of a botnet.