https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446444#M1220 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191288">@PaulDownes</a> ,</P> <P>&nbsp;</P> <P><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">In order to get better traction for this, I have moved your query to the Cortex area.</SPAN><BR style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">I would recommend that you visit this area to see your discussion and others on Cortex.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Cheers,</SPAN></P> <P><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">-Kiwi.</SPAN></P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 09 Nov 2021 13:02:48 GMT kiwi 2021-11-09T13:02:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/445496#M1219 <P>Hi All, I've been looking at the functionality of the cytool command line and cannot find a way to scan a particular file, which is available if you right click the file in Windows. Can anyone tell me if the ability to scan an individual file, or folder available from command line in XDR client?</P><P>Thanks, Paul</P> Thu, 04 Nov 2021 15:09:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/445496#M1219 PaulDownes 2021-11-04T15:09:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446444#M1220 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191288">@PaulDownes</a> ,</P> <P>&nbsp;</P> <P><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">In order to get better traction for this, I have moved your query to the Cortex area.</SPAN><BR style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" /><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">I would recommend that you visit this area to see your discussion and others on Cortex.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Cheers,</SPAN></P> <P><SPAN style="color: #222222; font-family: Arial, Helvetica, sans-serif; font-size: small; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">-Kiwi.</SPAN></P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 09 Nov 2021 13:02:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446444#M1220 kiwi 2021-11-09T13:02:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446450#M1221 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191288">@PaulDownes</a>&nbsp;</P><P>&nbsp;</P><P>The scan malware option is not part of the cytool commands.</P><P>&nbsp;</P><P>There are some alternatives</P><P>&nbsp;</P><OL><LI>cytool fileinfo c:\path\to\app1.exe - process needs to be known to WF/LA<OL><LI>this will give you information about app1.exe. you want to look for the File SHA256 value</LI></OL></LI><LI>cytool wf query app1_sha256_value<OL><LI>If you do not get a result, it means that WF/LA do not know it. At this point, you first need to upload the file to WF. You can do that by scanning the file using the mouse</LI><LI>you could use cytool imageprep. this will look at all the volumes are upload to WF those that are unknown. This operation could take quite some time, at least the first time executed. Later imageprep scans, would take less time as only those new unknown executables will be uploaded to WF.</LI></OL></LI></OL><P>&nbsp;</P> Tue, 09 Nov 2021 13:19:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446450#M1221 fmoixsante 2021-11-09T13:19:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446490#M1222 <P>looks like looking at the official docs you can just start a scan:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-windows/troubleshoot-traps-for-windows/cytool.html" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-windows/troubleshoot-traps-for-windows/cytool.html</A></P><P>&nbsp;</P><P>I would however confirm with the tac</P> Tue, 09 Nov 2021 15:00:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446490#M1222 P.Jacob 2021-11-09T15:00:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446999#M1229 <P>Thanks folks, all very helpful. I'm going to accept Fmoixsante's suggestion about the imageprep scan as the accepted solution, might be able to run with that. If there was something flagged on the client machine to say the scan marked the file safe / unsafe, I could possibly use that to trigger a subsequent action to admins also. I appreciate the insights from you all, thanks again.</P> Thu, 11 Nov 2021 14:22:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-command-line-scan/m-p/446999#M1229 PaulDownes 2021-11-11T14:22:53Z