Palo Alto Networks WildFire

Modern Malware Protection For Enterprises 

The rapid evolution of malware dictates that a new approach to detection and protection mechanism development be taken. Introducing WildFire, a new, more responsive approach to modern malware protection.

Using the combined power of Palo Alto Networks next-generation firewalls and a cloud-based service, WildFire exposes previously unseen malicious executable files by directly observing their behaviour in a secure virtualised environment. This direct analysis quickly and accurately identifies new malware, leading to the automated creation of new signatures that are distributed to all Palo Alto Networks devices via the current threat prevention subscription service.

WildFire detection of unknown and targeted malware

When the firewall encounters an unknown .EXE or .DLL that has been delivered by any application, even those that are encrypted with SSL, the file can be submitted to the WildFire virtualised sandbox, where Palo Alto Networks can directly observe more than 70 malicious behaviors that can reveal the presence of malware. Submissions can be made manually or automatically based on policy.

Signatures to halt attacks and prevent further infection

When a sample is identified as malware, the sample is passed on to WildFire's signature generator, which automatically generates a signature for the sample and tests it for accuracy. The new signature is then distributed in the next content update. Palo Alto Networks also develops signatures for the all-important command and control traffic, enabling staff to immediately disrupt the communications of any malware inside the network.

WildFire Intelligence And Forensics

In addition to providing protection, administrators have access to a wealth of actionable information about the detected malware through the WildFire portal. A detailed behavioural report of the malware is produced, along with information on the user that was targeted, the application that delivered the malware, and all URLs involved in the delivery or phone-home of the malware.

Integration Of Firewall And The Cloud

WildFire makes use of a customer's on-premises firewalls in conjunction with Palo Alto Networks cloud-based analysis engine to ensure in-line performance, while using the cloud to deliver the fastest protections for all enterprise locations.

Controls Applications Used For Botnet Propagation And Command And Control

Organisations can use the application control enabled by App-ID to deploy firewall policies that control those applications that may be used by botnets as propagation channels or for command and control. Examples include:
  • Block P2P and IM applications such as MSN which have been known to propagate botnets
  • Block known botnet command and control applications (e.g., IRC)
  • Control, inspect and monitor those applications that are emerging as command and control channels (Twitter, Gmail, Google Docs)

Prevents The Propagation Of Known Botnets

The threat prevention engine can identify and block a wide range of known botnets, such as Dark Energy and Rustock while scheduled threat signature updates ensure that newly discovered botnets are also identified and blocked.

Quickly Determine Which Machines May Be Bot Infected

The behavioural botnet report analyses a range of datapoints including unknown applications, IRC traffic, malware sites, dynamic DNS, and newly created domains and the results are displayed as a list of potentially infected hosts that can be investigated as members of a botnet.