Exam PCNSE topic 1 question 559 discussion

Answer is B. WildFire Virus is a sub-type of the AV signatures. Data Filtering allowed the flash file but it was blocked by the AV signatures as a known WildFire Virus.

it is B. Type Wildfire tells what is the cached verdict (malicious in this case with an action of block). Type wildfire-virus tells what actually the antivirus engine did to the traffic

first user got the file. 5-10 mins later WF said it was virus. Users after the 5-10minutes will be blocked.

URL profile action alert. File Profile action alert. AV and Wildfire action Reset-both Policy Action Allow. Content Inspection overrides the policy action meaning the answer is B.

Based on the WildFire submission log provided, let's break down the sequence: TYPE: end - The action is allow. TYPE: wildfire - The action is block with a verdict: malicious. TYPE: wildfire-virus - The action is reset-both. TYPE: virus - The action is reset-both. TYPE: file - The action is alert. TYPE: url - The action is alert. Key points: The log shows multiple actions taken on the file. The wildfire-virus entry has the action reset-both, which means the connection was reset, preventing the download from completing. Although the initial end type has an action of allow, subsequent security measures like the reset-both action for the wildfire-virus and virus types indicate that the download was interrupted. Given this, the correct answer is: B. No, because the action for the wildfire-virus is "reset-both."

this question was in my exam 09/08/2024

The initial entry is UL set to allow and then file, also set to allow. It wasn't ID'd as a virus until after the file was downloaded

This question was on exam in June 24.

What's the correct answer?

(A) maybe but I could be wrong. "did the end user successfully downloaded file?" - technically YES. "It takes about 10 to 15 minutes to download the signature by WF dynamic update, no signature, no blocking" - per screenshot, primarily action is set to "allow". If no other means was used for mitigating this, then yes, the file was downloaded then probably mitigated later after WF sends its update

I think D

I Think the below Article could be of help: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UshCAE&lang=en_US%E2%80%A9

Have to be D surely? I cannot seem to find a definitive answer on Palo Alto!

i had this one in December 2023. i think it is A but i am not shure and whould like to know.

This was on the exam September 2023, I would suggest knowing this one.

OPtion D, The first file was downloaded, the wildfire verdict came later to block it, later.

Answer is B. Wildfire-virus is a subtype used for wildfire signatures delivered using wildfire signature database, to differentiate from regular anti-virus signatures. In short, AV signatures are identified using subtype virus. Wildfire signatures are identified using subtype wildfire-virus. Source: https://live.paloaltonetworks.com/t5/general-topics/question-about-threat-logs-type-wildfire-virus/td-p/63337