2. Introducing WildFire
• Identifies unknown malware by direct
observation in a virtual sandbox environment
- Looks for more than 70 malicious behaviors
• Automatically generates signatures for
identified malware
- Infecting files and command-and-control
- Distributes signatures to all firewalls
via regular threat updates
• Provides forensics and insight into malware behavior
- Actions on the target machine
2
3. WildFire Architecture
Compare to Known Files
Sandbox Environment
Signature Generator
Admin Web Portal
• New Signatures
• Unknown • Firewall Delivered to ALL
Files From Submits File Firewalls. Portal
Untrusted to WildFire provides malware
Zones Cloud forensics
3
4. An Integrated Approach to Threat Prevention
App-ID™ Signatures Sources Behaviors
• All traffic, all ports, •Block threats on all • Malware hosting •WildFire malware
all the time ports URLs analysis
• Application •93.4% block rate of • Recently registered •Download patterns
signatures known exploits domains •Unknown traffic
• Heuristics •5M+ malware • SSL decryption of •Malware behaviors
samples high-risk sites
• Decryption
• Reduce the attack • Prevents known • Block known
surface threats sources of threats • Pinpoints
live infections and
• Remove the ability • 90% of threats • Be wary of unknown threats
to hide through 2015 unclassified and
(Gartner) new domains
4
Notes de l'éditeur
\n
Consists of two main components: virtual machine-based sandbox environment and an automatic malware signature generator\nCloud-based file analysis\n Virtual machines up in the cloud, no added burden on the customer\n Analyzes behavior looking for over 70 signals\n Registry mods, browser safety mods, file creation in windows system folders, injecting code into processes, deleting itself\n Automated report generation accessible via automated email reports and web portal\nAutomated malware signature generation\n Signatures generated automatically\n All signatures automatically and continually regression tested against a database of known clean files\n
Step through the process\n\nSetup and Sending of the File\nAdmin sets up policy to forward samples from internet to the cloud\nWhen firewall encounters binary to forward, checks signer.\n If signed by trusted source, don’t send.\nGenerate file hash and query the cloud for the file hash\n If we saw the file already, don’t send, just get result\nOtherwise, send up file (user configurable file size range limit)\n\nSample run in virtual machine for a period of time for analysis\nBehavior of sample analyzed.\n If malicious, a signature is automatically generated and appears in the next AV release.\nReports for all sample uploads are made available via the web portal and also via automated and configurable email reports\n