Malware Protection Policy Best Practices

The key principle when defining a malware protection policy is to minimize the chance of infection from known and unknown malware. To achieve this goal, the best practice malware protection policy uses WildFire rules that enable Traps to identify and block all known threats and send unknown files for analysis and identification by WildFire. In addition, the best practice malware protection policy enables Traps to take advantage of built-in mechanisms to analyze unknown executable files and determine the likelihood of malware. Consider the following recommendations when creating a malware protection policy:
  • Enable WildFire integration to allow Traps to evaluate executable files based on their WildFire verdicts. WildFire integration is automatically enabled in the default policy. Therefore, if you need to create new WildFire rules, ensure that WildFire Activation is On. See Configure a WildFire Rule .
  • Blockthe execution ofmalware. The easiest way to prevent malware from causing harm to your endpoints is to block its execution. To do this, the Action in the WildFire policy must be set to Prevention. Because the default policy configures this setting, we recommend that you leave the default setting, or if you need to create new rules, inherit the action from the default policy. See Configure a WildFire Rule .
  • Enable Traps to submit unknown executable files to the ESM Server and enable the ESM Server to send those samples to WildFire for analysis. By submitting the samples, you take advantage of advanced WildFire threat intelligence which enables analysis and identification of zero-day malware. WildFire also makes information about newly-discovered executable files available globally to other ESMs (upon query) and to Palo Alto Networks firewalls (within minutes). This enables you and other Palo Alto Networks customers to transform unknown samples to known samples thus reducing the time spent determining the nature of the unknown executable file. Because the default policy configures this setting, no additional action is required to enable this functionality. However, if you need to create new rules, ensure that you enable Upload files for WildFire analysis. See Set Up the ESM to Communicate with WildFire .
  • Enable Traps to perform local analysis on unknown executable files to determine if they are likely to be malware. Local analysis uses a statistical model that was developed using machine learning on WildFire threat intelligence. When enabled, local analysis uses the model to issue a local verdict for the file. Traps simultaneously queries the ESM Server for a verdict for the unknown executable but can use the local analysis verdict until the ESM Server responds with either an official WildFire verdict or administrative hash control policy. Because the default policy configures this setting, no additional action is required to enable this functionality. However, if you need to create new rules, ensure that you enable Local Analysis. See Local Static Analysis .
  • Install the latest content update. Each content update packages the latest Palo Alto Networks threat intelligence into a default security policy file. The content update can include changes to the list of trusted signers, local analysis model, compatibility rules, and default rule configuration settings. By installing the latest content update, you can ensure that your endpoints take advantage of this threat intelligence. See Content Updates .

Related Documentation