WildFire

Automatically Prevent Highly Evasive

Benefits ­Zero-Day Exploits and Malware
• Detect evasive zero-day exploits and
malware with a unique combination Palo Alto Networks WildFire® malware prevention service
of dynamic and static analysis, novel
is the ­industry’s most advanced analysis and prevention
machine learning techniques, and bare
metal analysis. engine for highly evasive z
­ ero-day exploits and malware.
• Orchestrate automated ­prevention The service employs a unique multi-technique ­approach,
for unknown threats in as few as five ­combining dynamic and static analysis, i­ nnovative ­machine
minutes following first discovery
anywhere in the world, without learning ­
techniques, and a ­
groundbreaking bare metal
requiring manual response. analysis ­environment to detect and prevent even the most
• Build collective immunity for ­unknown evasive threats.
malware and exploits with shared ­­
realtime ­intelligence from more than
30,000 ­subscribers.
• Provide highly relevant threat ­analysis
and context with AutoFocus
contextual threat intelligence service.

Strata by Palo Alto Networks | WildFire | Datasheet 1

Today, organizations must contend with an entire market- ­ nabling detection of zero-day exploits and malware using
e
place of malware and exploit developers selling or renting hundreds of behavioral characteristics.
out their malicious tools, making them available to all classes • Static analysis complements dynamic analysis with effec-
of attackers. At the same time, advanced evasion techniques tive detection of malware and exploits, providing instant
have been commoditized, allowing attacks to sidestep legacy identification of malware variants. Static analysis further
detection approaches. Now, even low-skilled adversaries can leverages dynamic unpacking to analyze threats attempt-
launch unique attacks capable of evading traditional threat ing to evade detection using packer tools.
identification and prevention approaches, requiring human
• Machine learning­extracts thousands of unique features
intervention that cannot scale against the volume of unknown
from each file, training a predictive machine learning mod-
threats seen today.
el to identify new malware, which is not possible with static
WildFire changes the equation for adversaries, turning ev- or dynamic analysis alone.
ery Palo Alto Networks platform deployment into a distrib-
• Bare metal analysis detonates evasive threats in a real
uted sensor and enforcement point to stop zero-day malware
hardware environment, entirely removing an adversary’s
and exploits before they can spread and succeed. Within the
ability to deploy anti-VM analysis techniques.
­WildFire environment, threats are detonated, intelligence is
extracted, and prevention is automatically orchestrated across Together, these four unique techniques allow WildFire to dis-
the Palo Alto Networks Security Operating Platform® in as few cover and prevent unknown malware and exploits with high
as five minutes after first discovery anywhere in the world. efficacy and near-zero false positives.

Find the Unknown with a Unique Automated Orchestration of

Multi-Technique Approach ­Prevention
WildFire goes beyond traditional approaches used to de- When zero-day exploits or malware are discovered by any
tect unknown threats, bringing together the benefits of WildFire subscriber, the service automatically orchestrates
four independent techniques for high-fidelity and evasion-­ enforcement of high-fidelity, evasion-resistant protections
resistant discovery: for all WildFire subscribers in as few as five minutes following
first discovery anywhere in the world. These protections are
• Dynamic analysis observes files as they detonate in a
derived and shared across more than 30,000 WildFire users,
purpose-built, evasion-resistant virtual environment,

Industry sharing
Prisma
SaaS Partner
Cortex integrations
VM- XDR
Series

Third-party
feeds
Firewalls

WildFire Machine Learning AutoFocus

• Threat dashboard

WF • Prioritized events
• Contextual threat
Static Analysis
intelligence
• Proactive response
Cloud-based • Correlated third-
threat intelligence Dynamic Analysis party threat feeds
•  Granular and
custom tags
•  Custom alerts
Bare Metal Analysis •  Trend reports

Figure 1: Evasion-resistant discovery

Strata by Palo Alto Networks | WildFire | Datasheet 2

forming the industry’s largest distributed sensor n­ etwork • Complete malicious behavior visibility identifies threats
focused on detecting and preventing unknown threats.
­ in all traffic across hundreds of applications, including
WildFire also forms the central prevention orchestration
­ web traffic, email protocols like SMTP, IMAP, and POP, as
point for the Security Operating Platform, allowing the en- well as file sharing protocols like SMB and FTP, regardless
forcement of new controls through: of ports or encryption.
• Threat Prevention to block malware, exploits, and com- • Changes made to host observes all processes for modi-
mand-and-control activity. fications to the host, including evidence of exploitation,
• URL Filtering with PAN-DB for the prevention of newly persistence mechanisms, data encryption, and system de-
discovered malicious URLs. struction techniques.

• AutoFocus™ contextual threat intelligence service, en- • Suspicious network traffic analysis monitors all network
abling the extraction, correlation, and analysis of threat activity produced by the suspicious file, including back-
intelligence with high relevance and context. door creation, downloading of next-stage malware, vis-
iting low-reputation domains, network reconnaissance,
• Cortex XDR™ agent and Prisma™ SaaS for realtime verdict
and much more.
determination and threat prevention.
• Anti-analysis detection monitors advanced malware
• Integration with our technology partners for verdict deter-
techniques designed to avoid VM-based analysis, such as
mination on third-party services with the WildFire API.
debugger detection, hypervisor detection, code injection
into trusted processes, disabling of host-based security
Most Advanced Malware Analysis features, and much more.

Environment
In combination with WildFire, organizations can use
­AutoFocus to home in on the most targeted threats with high
WildFire brings forth years of groundbreaking innovation to relevance and context. AutoFocus provides the ability to hunt
provide the most advanced analysis environment in the in- across all data extracted from WildFire, as well as third-­
dustry, enabling the most accurate and evasion-resistant party threat feeds, using MineMeld™ threat intelligence
detection of unknown threats available today. The WildFire syndication engine. It allows users to correlate i­ ndicators of
engine is based on two primary components. compromise and samples with human intelligence from the
Unit 42 threat research team in the form of tags. Together,
Custom-Built Hypervisor WildFire and AutoFocus provide a complete picture of un-
Built from the ground up to avoid use of commonly used, open known threats targeting your organization and industry, in-
source emulation software that has become trivial to evade, the creasing your ability to quickly take action by:
WildFire hypervisor is immune to commoditized anti-VM anal- • Automatically updating External Dynamic Lists on Palo
ysis techniques used to evade detection in traditional malware Alto Networks Next-Generation Firewalls.
analysis environments. The custom hypervisor also provides • Automatically exporting indicators of compromise to
a flexible framework to continue building advanced detection third-party tools via STIX™, TAXII™, and APIs.
and evasion-resistant capability into WildFire in the future.
These actions require no human intervention and reduce the
Bare Metal Analysis cost of adding specialized security staff.

The most sophisticated threats can potentially observe that

they are being examined in an advanced virtual environment Safe, Scalable Cloud-Based
­Architecture
and fail to fully detonate. To address this class of advanced
attacks, WildFire has the ability to automatically analyze ad-
vanced threats in real hardware systems using our bare metal The unique cloud-based architecture of WildFire supports un-
analysis engine. Now, even the most evasive threats can be con- known threat detection and prevention at massive scale across
clusively identified and prevented. networks, endpoints, and clouds. You can take advantage of the
service as part of the Security Operating Platform without in-
Identification and Verdicts
troducing a performance impact to the firewall. To meet even
Within the malware analysis environment, WildFire exe- the strictest local privacy or regulatory requirements, WildFire
cutes suspicious content in the Windows® XP, Windows 7, is available in multiple deployment modes, including:
Windows 10, Android®, and macOS® operating systems, with
• Global cloud delivery: Files are submitted to the WildFire
full visibility into commonly exploited file formats, such as
global cloud, delivering scale and speed, and enabling
EXE, DLL, ZIP, 7ZIP, RAR Archive, Mach-O, Mach-OSX DMG,
any c
­ ustomer of Palo Alto Networks to quickly turn on
ELF (Linux), and PDF, as well as Microsoft Office documents,
the service, including users of physical and virtualized
Java files, Android APKs, Adobe Flash® applets, and links
Next-Generation Firewalls, public cloud offerings, Prisma
within email messages. WildFire identifies files with poten-
SaaS, and Cortex XDR agents.
tial malicious behaviors, and then delivers verdicts based on
their actions, by applying threat intelligence, analytics, and • Private cloud delivery: The ­
WildFire appliance, a local
correlation alongside advanced capabilities: on-premises device, conducts all threat detonation,

Strata by Palo Alto Networks | WildFire | Datasheet 3

 Figure 2: Global cloud infrastructure

i­ ntelligence extraction, and protection generation, • An open API for integration with third-party security
but it maintains the ability to receive updates from the tools, such as security information and event management
global cloud for customers with privacy or regulatory ­systems (SIEMs).
­requirements.
• Hybrid cloud delivery: You can combine the benefits of the
global and private clouds by choosing to send sensitive files Security Operating Platform
to the private cloud while other content is analyzed by the Built on the Security Operating Platform®, WildFire blocks
global cloud. known and unknown threats before they can cause harm, tak-
• Global cloud infrastructure: Take advantage of automated ing advantage of:
protections delivered through the global cloud without the • Full visibility into all network traffic activity, including
need to send content beyond your borders, allowing you to stealthy ­attempts to evade detection, such as the use of
maintain privacy and compliance at scale. nonstandard ports or SSL encryption.
• Attack surface reduction with positive security controls to
Integrated Logging, Reporting, proactively take away infection vectors.

and Forensics
• Automatic known threat prevention with our Next-­
Generation Firewalls, Threat Prevention, URL Filtering,
WildFire users receive integrated logs, analysis, and visi- Cortex XDR agents, and Prisma SaaS, providing defenses
bility into malicious events through the PAN-OS® manage- against known exploits, malware, malicious URLs, and
ment interface, Panorama™ network security management, command-and-­control activity.
AutoFocus, or the WildFire portal, enabling teams to quickly • Unknown threat detection and prevention with WildFire,
investigate and correlate events observed in their networks. including threat analytics with high relevance and context
This allows security staff to rapidly locate and take action through the AutoFocus service.
on the data needed for timely investigations and incident The result is a unique, closed-loop approach to preventing
­response, including: cyberthreats, ensuring they are known to all and blocked
• Detailed analysis of every malicious file sent to WildFire across the attack lifecycle.
across multiple operating system environments, including
both host- and network-based activity.
• Session data associated with the delivery of the malicious Maintaining the Privacy of Your
file, including source, destination, application, user, URL, Files
and other attributes.
The security and privacy of customer data is our top priority.
• Access to the original malware sample for reverse engi-
The WildFire infrastructure is managed directly by Palo Alto
neering, with full PCAPs of dynamic analysis sessions.
Networks, leverages industry-standard best practices for

Strata by Palo Alto Networks | WildFire | Datasheet 4

security and confidentiality, and is regularly audited for tures. URL signatures require a PAN-DB subscription.
SOC 2 compliance. You can find further information in the • Support for PE files, such as EXE, DLL, and others; all
­WildFire Privacy datasheet. ­Microsoft Office file types; PDFs; Flash files; Java applets,
including JAR and CLASS; RAR and 7ZIP archive files; ­Linux

WildFire Requirements ELFs; Android APKs; macOS binaries, such as Mach-O,

DMG, PKG, and application bundles; scripts, including
WildFire analysis of certain file types requires the following JScript, ­VBScript, PowerShell, and Shell script; and analysis
version, or a newer version, of PAN-OS: of links within email messages. This includes support for
compressed and encrypted content.
• Baseline WildFire functionality requires PAN-OS 4.1+
• Analysis of select samples in a bare metal analysis envi-
• DF, Java, Office, and APK analysis requires PAN-OS 6.0+
ronment, as determined by the WildFire system.
• Adobe Flash and webpage analysis requires PAN-OS 6.1+
Basic WildFire functionality is available as a standard feature
on all Security Operating Platform deployments running
Licensing Information PAN-OS 4.1 or later, enabling a restricted set of W
­ ildFire fea-
tures, including:
The WildFire global cloud subscription provides:
• Windows XP and Windows 7 virtual analysis environments.
• Windows XP, Windows 7, Windows 10, macOS, and Android
• Automated submission of only EXE and DLL file types, in-
OS virtual analysis environments.
cluding compressed and encrypted content.
• Automated signature updates delivered every five min-
• Automatic protections delivered with regular Threat
utes for zero-day malware and exploits discovered by any
­Prevention content updates every 24 hours, given an a
­ ctive
WildFire subscriber submitting samples to the WildFire
Threat Prevention subscription.
global cloud. Signatures include file-based antivirus sig-
natures, Domain Name System signatures, and URL signa-

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 wildfire-ds-021320
Support: +1.866.898.9087

www.paloaltonetworks.com