Configuring reputation data

Reputation is a service that queries reputation providers for threat intelligence about given file hashes. You can configure one or more reputation sources to build a repository of reputation data.

Configure Palo Alto Networks WildFire reputation source

You can use Palo Alto Networks firewall security policies to capture suspicious files and forward them to the WildFire system for threat analysis. If the file is malware, the status is reported back to the firewall.

After the WildFire analysis is completed, the reputation service can query the results and update the reputation data.

Prerequisites

  • A subscription to Cloud WildFire (wildfire.paloaltonetworks.com) or a configured WF-500 WildFire appliance.
  • Palo Alto Networks Firewall with or without Panorama.

Configure settings

  1. From the Reputation home page, click Settings in the Palo Alto Networks WildFire section.
  2. Specify settings, including the host of your WildFire instance and the API key.
  3. Select Enabled to enable the reputation source and click Save.

Configure ReversingLabs A1000 reputation source

ReversingLabs is an application that companies can install locally to analyze files and provide reputation results through API requests or a web interface.

Prerequisites

You must already have a ReversingLabs API token. If you have not already registered for ReversingLabs access, contact their sales team at reversinglabs.com.

To get an API key:

  1. Sign into ReversingLabs.
  2. Click the User Profile icon.

  3. Select Administration.

  4. Click Tokens.

Configure settings

  1. From the Reputation home page, click Settings in the ReversingLabs A1000 section.
  2. Add your ReversingLabs A1000 credentials: the URL for your API access and your API Token.
  3. Adjust the settings for New/Pending hashes per query and New/Pending queries per minute according to your API agreement with ReversingLabs and your network requirements.
  4. Select Enabled to enable the reputation source and click Save.

Configure ReversingLabs TitaniumCloud reputation source

ReversingLabs TitaniumCloud is an online service that analyzes files, hashes, and URLs to identify viruses, worms, trojans, and other kinds of malicious content that is detected by antivirus engines and website scanners. The reputation service sends reputation items to the ReversingLabs API and returns the results to the reputation database.

Prerequisites

You must already have a ReversingLabs TitaniumCloud account. If you have not already registered for ReversingLabs TitaniumCloud access, contact their sales team at reversinglabs.com.

Configure settings

  1. From the Reputation home page, click Settings in the ReversingLabs TitaniumCloud section.
  2. Add your ReversingLabs TitaniumCloud credentials: the URL for your API access, your Username, and your Password.
  3. Adjust the settings for New/Pending hashes per query and New/Pending queries per minute according to your API agreement with ReversingLabs and your network requirements.
  4. To reduce the number of items reported as malicious, expand Advanced Settings and adjust the settings for Threat Level and Trust Factor.


    Setting Threat Level to 0 and Trust Factor to 0 results in the maximum number of reports for malicious items. Setting Threat Level to 5 and Trust Factor to 5 results in the fewest number of reports for malicious items.

  5. Select Enabled to enable the reputation source and click Save.

Configure VirusTotal reputation source

VirusTotal is an online service that analyzes files, hashes, and URLs to identify viruses, worms, trojans, and other kinds of malicious content that is detected by antivirus engines and website scanners. The reputation service sends reputation items to the VirusTotal API and returns the results to the reputation database.

Prerequisites

Register for a VirusTotal API key at virustotal.com. VirusTotal makes their catalog available for query with an API key. Refer to the VirusTotal API use policy to determine which type of API key is appropriate.

To get the API key on the VirusTotal website, sign in and click your_user_image > Settings > API Key.

Configure settings

  1. From the Reputation home page, click Settings in the VirusTotal section.
  2. Specify settings for VirusTotal, including the API key.
    • Adjust the settings for Batch Size and Maximum Calls per Minute according to your agreement with VirusTotal.
    • The Positive Threshold is a number of positive reports that must be on the hash to be considered a potential threat or malware.
      The likelihood that VirusTotal reports might include false positive indicators is higher when the value is set lower.

      Example: If you set the value to 3, then three VirusTotal engines must report an item as malicious for the item to be sent to Connect.
      Setting the value to 0 disables the threshold. If any VirusTotal engine reports that item as malicious, the item is sent to Connect.

      Reputation results for VirusTotal are determined as follows:

      • Malicious: if the number of positives is greater than the threshold
      • Suspicious: if the number of positives is greater than zero, but less than the threshold
      • Non-malicious: if the number of positives is zero
      • Unknown: if there is no data
  3. Select Enabled to enable the reputation source and click Save.

View reputation scan status

The Reputation home page displays the total number of reputation items, and the following information about each reputation source:

  • Items: total number of reputation items on this reputation source
  • New: reputation items that still need to be scanned on this reputation source
  • Processed: reputation items that have been scanned on this reputation source
  • Malicious: percentage of items out of total reputation items that are malicious

Last updated: 6/21/2019 4:54 PM | Feedback