Advanced WildFire reproduces a variety of analysis environments, including the operating system, to identify malicious behaviors within samples. Depending on the characteristics and features of the sample, multiple analysis environments may be used to determine the nature of the file. Advanced WildFire uses static analysis with machine learning to initially determine if known and variants of known samples are malicious. Based on the initial verdict of the submission, Advanced WildFire sends the unknown samples to analysis environment(s) to inspect the file in greater detail by extracting additional information and indicators from dynamic analysis. If the file has been obfuscated using custom or open source methods, the Advanced WildFire cloud decompresses and decrypts the file in-memory within the dynamic analysis environment before analyzing it using static analysis. During dynamic analysis, Advanced WildFire observes the file as it would behave when executed within client systems and looks for various signs of malicious activities, such as changes to browser security settings, injection of code into other processes, modification of files in operating system folders, or attempts by the sample to access malicious domains. Additionally, PCAPs generated during dynamic analysis in the Advanced WildFire cloud undergo deep inspection and are used to create network activity profiles. Network traffic profiles can detect known malware and previously unknown malware using a one-to-many profile match.

Advanced WildFire can analyze files using the following methods, based on sample characteristics:

Advanced WildFire operates analysis environments that replicate the following operating systems:

The Advanced WildFire public cloud also analyzes files using multiple versions of software to accurately identify malware that target specific versions of client applications. The WildFire private cloud does not support multi-version analysis, and does not analyze application-specific files across multiple versions.