WildFire

Prevent Unknown Malware

­Variants Inline Business Benefits
Today’s adversaries have easy access to cloud • Don’t be the first victim of a new
scale, legitimate infrastructure, and machine threat. Inline prevention stops
“patient zero” without affecting
learning, allowing them to take advantage of productivity.
speed and polymorphism to drive the spread • Eliminate dwell time risk. Cut threat
of new threats. Many new malware attacks response time to seconds with
automated delivery of coordinated
are variations of a basic attack with changes protection across network, endpoint,
to domains or techniques. This allows the and cloud.

threat to look like a new attack and avoid static • Reduce actionable events and
workload for the SOC. Stop the initial
signature protections. Siloed security tools threat, delivering fewer detection
simply cannot keep up with today’s malware events to investigate and contain.
which is proliferating at a rate of 1,000 new • Reduce TCO with cloud-based
architecture. Eliminate costs to
threats every five minutes, with up to 10,000
deploy, manage, patch, and maintain
variants seen five minutes thereafter. appliance-based sandboxes.
• Gain infinite analysis capacity with
no incremental costs. Subscription
model delivers compute and scalability
with no capacity-based charges.
• Avoid manual integrations. Threat
intel automatically flows into the Palo
Alto Networks ecosystem, eliminating
manual tooling or integration.

Palo Alto Networks | WildFire | Datasheet 1

Organizations suffering zero-day attacks or advanced p
­ ersistent threats that cause data breaches can face:
• Reputational risk—highly visible media and press created by government and industry reporting
requirements, compounded by the volume and type of information lost
• Regulatory risk—sanctions imposed by governing bodies as well as increased compliance and
assessment requirements, depending on information assets targeted (e.g., personally identifiable
information [PII], account information, business or customer intellectual property)
• Financial risk—potential revenue loss associated with lower buyer confidence, ransomware, and
increased regulations (e.g., downtime, reduced sales, increase in compliance requirements, cost of
data retrieval)
• Legal risk—liability due to civil challenges and due diligence issues stemming from customer
data loss and compliance with regulations (e.g., HIPAA, GDPR, US state legislation [CCPA, NYDFS
­Cybersecurity Regulation, etc.], Australian data privacy regulations)
To mitigate risks associated with unknown attacks, organizations turn to network sandboxing solutions
for malware ­analysis. Unfortunately, traditional solutions affect user productivity and are slow to deliver
verdicts, interrupting workflows by holding files for analysis, trickle some content while samples are
being scanned, or change content which makes many files unreadable. Moreover, these solutions have
another fatal flaw: they can only protect against new threats after the first victim in an organization
(a.k.a. patient zero) has already been identified or compromised.

Immediate Prevention Powered by Infinitely

Scalable Cloud Analysis

95%
Palo Alto Networks WildFire cloud-based malware prevention security service
eliminates the need to compromise security for performance and enables
­organizations to adopt a prevention-first posture. As the industry’s most advanced
cloud-based analysis and prevention engine for malware, WildFire analyzes every
unknown file for malicious intent, and then distributes prevention in record time to
reduce the risk of a first victim—and every threat thereafter.
Unlike traditional solutions that depend solely on offline or delayed analysis of
unknown malware, WildFire analysis and intelligence flow directly into machine
learning models that act locally at the next-generation firewall level to stop up to unknown malware
95% of new threats inline. For the rest, WildFire uses an innovative multitechnique
variants blocked inline
approach to ­distribute signatures to every ML-Powered NGFW in seconds.
No other malware analysis engine can offer prevention without affecting produc-
tivity. WildFire combines dynamic and static analysis, innovative machine learning
techniques, recursive analysis, and a groundbreaking custom-built analysis
environment to analyze, identify, and prevent file-based threats. After analysis,
automation is where WildFire shines: it applies rapid and consistent prevention at
the edge, in your data center, from the cloud, within software-as-a-service (SaaS)
applications, and on endpoints.

Key Capabilities
Defeat Highly Evasive and
Prevent Unknown Threats at the Firewall Level with Inline Memory-Resident Malware
­Machine Learning Advanced WildFire introduces
Powered by threat models continually honed in the cloud, ­WildFire includes a brand-new infrastructure with
an inline machine learning-based engine delivered within our hardware and patented analysis techniques,
virtual ML-­Powered NGFWs. This innovative, signatureless capability prevents including intelligent runtime
­malicious content in common file types—such as portable executable files and memory analysis, ­dependency
fileless attacks stemming from PowerShell—­completely inline, with no required emulation, malware family
cloud analysis, no damage to content, and no loss of user productivity. Whether ­fingerprinting, and more, to
an unknown file matches an existing signature or is classified by a­ n ML-­Powered prevent an additional 26% of
NGFW, WildFire always performs full analysis, extracting valuable intelligence highly evasive modern malware
and data to provide context for security analysts, generate training updates for at scale. Learn more about
the machine learning models, and share intelligence with other subscriptions to ­Advanced WildFire here.
prevent other attack vectors.

WildFire | Datasheet 2
Get Global Prevention Across the WildFire ­Ecosystem, Delivered in Seconds
For highly customized threats that inline machine ­­learning-powered prevention cannot stop, W ­ ildFire
applies powerful cloud-based analysis to deliver prevention across n ­ etworks, clouds, endpoints, or
wherever WildFire-­enabled sensors are deployed. Working in tandem with the new ­capabilities of
­PAN-OS, WildFire generates and delivers prevention globally within seconds of initial analysis for most
new threats. This innovative, cloud-scale delivery of evasion-­resistant signatures closes the window
for adversaries to successfully deploy malicious content.

Use Signatures, Not Hashes

Because WildFire uses content signatures for prevention instead of hashes, it can identify more
malware with a single signature. As a result, compared to the mostly hash-based systems that require
1:1 ratios, WildFire protects against more attacks with the same resources. A single WildFire signature
can protect against up to millions of polymorphic variants of a single malware.

Root Out Malicious Behavior in All Traffic

WildFire identifies files with potential malicious behaviors and then delivers verdicts based on their
actions by ­applying threat intelligence, analytics, and correlation alongside a
­ dvanced capabilities:
• Complete malicious behavior visibility identifies threats in all traffic across hundreds of
­applications, including web traffic; email protocols like SMTP, IMAP, and POP; and file-sharing
protocols like SMB and FTP, regardless of ports or encryption.
• Suspicious network traffic analysis monitors all network activity produced by a suspicious file,
including backdoor creation, downloading of next-stage malware, visiting low-­reputation domains,
network reconnaissance, and much more.
• Fileless attack/script detection identifies when ­potentially malicious scripts, such as JScript and
PowerShell, are ­traversing the network and forwards them to WildFire for analysis and execution.
The powerful discovery and analysis capabilities of WildFire are seamlessly integrated with numerous
products across the Palo Alto Networks portfolio as well as within leading partner solutions across
email and cloud platforms.

Custom hypervisor

Machine learning </> Dynamic unpacking

Dynamic analysis Network traffic profiling

WF

Static analysis Recursive analysis

Web
Protections

Malware, URLs, DNS, Auto-C2

URL
Unknowns

Flash SWF

Scripts
Updated within seconds, globally
JS

Archive ZIP

Binaries
Prevent patient zero with inline ML
DLL

Documents RTF

Network Endpoint Cloud Partners/Third Parties API Access

Figure 1: WildFire: the global nerve center for malware analysis

WildFire | Datasheet 3
Uncover New Threats with a Multitechnique,
Evasion-Resistant Approach Operational Benefits
WildFire goes beyond traditional sandboxing approaches used • Automate reprogramming of security controls
to detect unknown threats in a cloud analysis environment, to block unknown threats: Shared real-time
­bringing together multiple techniques: ­intelligence from more than 85,000 global
• Dynamic analysis observes files as they execute in a ­customers automatically updates and prevents
­purpose-built, evasion-resistant virtual environment, threats across networks, endpoints, and clouds.
enabling detection of previously unknown malware using • Gain detailed context on analyzed threats: Get
hundreds of behavioral characteristics. thorough reports of every malicious file sent
• Machine learning extracts thousands of unique features to WildFire across multiple operating system
from each file, training a predictive machine learning model ­environments and application versions.
to ­identify new malware, which is not possible with static or • Integrate seamlessly to enrich custom
dynamic analysis alone. ­applications and existing security tools:
• Static analysis complements dynamic analysis with ­effective ­Leverage open API integration with SIEM, TIP,
detection of malware, providing instant identification of ticketing, SOAR, XDR tools, or custom use ­cases
malware variants. Static analysis further leverages ­dynamic to process indicators of compromise (IoCs).
unpacking to analyze threats attempting to evade detection
through the use of packing tool sets.
• A custom-built hypervisor prevents attacker evasion techniques
with a robust, proprietary hypervisor that does not depend on open source projects or proprietary
­software to which attackers have access.
Together, these unique techniques allow WildFire to ­analyze and prevent unknown malware with
high efficacy and near-zero false positives.

Stop Complex, Multistage Attacks

Threat actors continue to evolve malware to evade existing analysis techniques by breaking attacks
into distinct components and stages, using multiple concurrent delivery vectors, and exploit-
ing reputable cloud services to avoid detection. These strategies render traditional single-stage,
single-vector malware analysis ineffective.
By combining the cloud scale of WildFire with advanced file analysis and URL crawling, Multi-Vector
Recursive ­Analysis (MVRA) delivers a unique and comprehensive solution to prevent threat actors’
sophisticated multistage, multihop attacks. Unlike other solutions, WildFire can follow multiple
stages of attack from a file analysis standpoint even if execution fails in a given stage. This workflow
unifies analysis across both web and file attack vectors, enabling a unique, holistic view of a campaign
over multiple stages. Attackers can no longer hide malicious content behind multiple stages of benign
URLs or reputable document sharing sites.

Deploy in a Safe, Scalable Cloud-Based A

­ rchitecture
The cloud-based architecture of WildFire supports ­unknown threat analysis and prevention at
massive scale across networks, endpoints, and clouds. Files are s ­ ubmitted to the ­WildFire global
cloud, delivering scale and speed, and any Palo Alto Networks customer can quickly turn on the
­service—including users of hardware and virtual ­ML-­Powered NGFWs, public cloud offerings, Prisma
SaaS, and Cortex XDR agents. Palo Alto Networks manages the WildFire infrastructure directly,
following industry-­standard best practices for security and confidentiality, with regular SOC 2
compliance audits. See the WildFire ­Privacy d
­ atasheet for more information.
To enable you to better address data sovereignty and privacy concerns, we maintain distributed regional
WildFire clouds that give you more control over the location of your data. Providing the same detection
and prevention capabilities as the WildFire public cloud, these clouds allow you to adjust submissions to
address localized data privacy concerns.

Integrate Seamlessly with Existing Security Tools and Custom Applications

The rapid move to the cloud and digital transformation efforts are surfacing security challenges
that require rapid, effective, and on-demand malware analysis performed outside of the next-­
generation firewall or traditional control points. The WildFire API enables customers to make queries
to ­WildFire for information about potentially malicious content and submit files for analysis using the
advanced threat analysis capabilities of WildFire. Using this RESTful API, customers can leverage the
­industry-leading malware analysis capabilities of WildFire to integrate with existing SOAR tools, secure
custom ­applications (such as business-to-consumer web portals), scan file share and storage locations

WildFire | Datasheet 4
for malicious content prior to cloud migration, and more. A standard WildFire subscription unlocks API access
for a fixed number of submissions and queries. A separate stand-alone WildFire subscription, which does not
require the purchase of a next-generation firewall, enables customers to purchase flexible submission and query
volumes to access WildFire malware analysis via an API wherever it is needed.

Integrated Logging, Reporting, and Forensics

WildFire users receive integrated logs, analysis, and visibility into malicious events through the PAN-OS
management interface, Panorama network security management, Cortex XDR, Cortex XSOAR, or AIOps,
enabling teams to quickly investigate and correlate events observed in their networks. With this i­ nformation,
security teams can rapidly locate and take action on the data needed for timely investigations and incident
response, ­regardless of the application they use.

The Power of Palo Alto Networks Security ­Subscriptions

Today’s sophisticated cyberattacks can spawn 45,000 variants in 30 minutes using multiple threat v ­ ectors
and advanced techniques to deliver malicious payloads. Traditional siloed security causes challenges for
­organizations by introducing security gaps, increasing overhead for security teams, and hindering business
­productivity with inconsistent access and visibility.
Seamlessly integrated with our industry-leading NGFWs, our Cloud-Delivered Security Services use the
­network effect of over 85,000 customers to instantly coordinate intelligence and protect against all threats
across all v­ ectors. Eliminate coverage gaps across your locations and take advantage of best-in-class security
­delivered ­consistently in a single platform.
• Advanced Threat Prevention: Stop known exploits, malware, spyware, and command-and-­control (C2)
threats, while utilizing industry-first prevention of zero-day attacks. Prevent 60% more u
­ nknown injection
attacks and 48% more highly evasive command-and-control traffic than t­ raditional IPS solutions.
• Advanced WildFire malware prevention: Ensure files are safe by automatically preventing known, unknown,
and highly evasive malware 60x faster with the industry’s largest threat intelligence and malware prevention
engine.
• Advanced URL Filtering: Ensure safe access to the internet and prevent 40% more web-based attacks with the
industry’s first real-time prevention of known and unknown threats, stopping 88% of m
­ alicious URLs at least
48 hours before other vendors.
• DNS Security: Gain 40% more threat coverage and stop 85% of malware that abuses DNS for c
­ ommand and
control and data theft without requiring changes to your infrastructure.
• Enterprise DLP: Minimize the risk of a data breach, stop out-of-policy data transfers, and enable compliance
consistently across your enterprise, with 2x greater coverage of any cloud-delivered enterprise DLP.
• SaaS Security: The industry’s only Next-Generation CASB natively integrated into Palo Alto Networks SASE
offers proactive SaaS visibility, comprehensive protection against misconfigurations, real-time data protec-
tion, and best-in-class security.
• IoT Security: Safeguard every “thing” and implement Zero Trust device security 20x faster with the industry’s
smartest security for smart devices.
• AIOps: AIOps for NGFW redefines firewall operational experience by empowering security teams to proactively
strengthen security posture and resolve firewall disruptions.

Table 1: Features and Licensing Summary

Capabilities Activated with WildFire Subscription Attached to NGFW

Static analysis combines memory analysis, machine learning, and analysis of file anomalies, malicious
patterns, and known malicious code.

Advanced Analysis, Inline ML-based prevention (on firewall) blocks unknown malicious executables and P
­ owerShell attacks.
Prevention, and
Anti-Evasion Techniques Dynamic analysis includes custom hypervisor, behavioral scoring, network profiling, and
­multi­version analysis.

MVRA combines advanced file analysis with URL crawling to prevent multistage, multihop attacks.

OS Support macOS, Android, Windows XP/7/10, Linux

WildFire | Datasheet 5
 Table 1: Features and Licensing Summary (continued)

Capabilities Activated with WildFire Subscription Attached to NGFW

PE files (EXE, DLL, and others), all Microsoft Office file types, Mac OS X files, Linux (ELF) files, Android
File Support Package Kit (APK) files, Adobe Flash and PDF files, archive (RAR and 7-Zip) files, script (BAT, JS, VBS,
PS1, Shell script, and HTA) files, analysis of links within email messages, and encrypted (TLS/SSL) files

Protocol Support SMTP, POP3, SMB, FTP, IMAP, HTTP, HTTPS

File Analysis per Day 80 million+ unique files analyzed per day

• Based on new/zero-day malware discovered in web traffic (HTTP/HTTPS), email protocols

(SMTP, IMAP, and POP), and FTP traffic
Signature Type
• Generated on the malware payload of the sample and tested for accuracy and safety

Protection Updates for

• Seconds, with zero-delay signatures to connected NGFW*
Unknown Malware

• Australia, Canada, Germany, India, Japan, The Netherlands (EU Regional Cloud), Singapore
Regional Cloud Locations
(APAC Regional Cloud), United Kingdom, United States (Global Cloud and US Government Cloud)

The WildFire subscription on the NGFW includes access to the WildFire API key, enabling integrating
WildFire API Key
WildFire into other applications. This key has daily limits.

• With Palo Alto Networks, including all cloud-delivered security subscriptions, Cortex XDR, Cortex
XSOAR, Prisma Access, Prisma Cloud, Enterprise DLP, SaaS Security
Integrations

• With technology partners for verdict determination on third-party services with the WildFire API

Management
Palo Alto Networks Panorama and WebUI, API
and Reporting

• Detailed analysis of every malicious file sent to WildFire across multiple operating system
­environments, including both host- and network-based activity
• Access to the original malware sample for reverse engineering, with full PCAPs of dynamic
Forensics
­analysis sessions
• Open API for integration with third-party security tools, such as security information and event
management (SIEM) systems

Palo Alto Networks has strict privacy and security controls in place to prevent unauthorized access to
Trust and Privacy ­sensitive or personally identifiable information. We apply industry-standard best practices for s
­ ecurity
and confidentiality. You can find further information in our privacy datasheets.

To use the Palo Alto Networks WildFire subscription, you will need:
Requirements • Palo Alto Networks Next-Generation Firewalls running PAN-OS
• Palo Alto Networks Threat Prevention license

Recommended Palo Alto Networks Next-Generation Firewalls deployed in any location, as both internal and external
­Environment sources, may introduce file-based threats into the network.

* Requires PAN-OS 10.0 and above.

3000 Tannery Way © 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
Santa Clara, CA 95054 trademark of Palo Alto Networks, Inc. A list of our trademarks can be found
at https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 parent_ds_wildfire_011023
Support: +1.866.898.9087

www.paloaltonetworks.com