https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466208#M1557 <P>Hello,&nbsp;</P><P>we started to have Cortex XDR alerts for *.tmp files, which refer to the C:\Windows\Install folder.</P><P>e.g.&nbsp;<SPAN>C:\Windows\Installer\MSI53B1.tmp</SPAN></P><P>Wildfire report says its Malware based probably on the:</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">Attempted to sleep for a long period | Medium Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection. Created or modified a file in the Windows system folder | Medium The Windows system folder contains configuration files and executables that control the underlying functions of the system. Malware often modifies the contents of this folder to manipulate the system, establish persistence, and avoid detection.</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Interesting thing is that this folder does not exists on any of reported machines, incl. hidden folders.<BR />Can anyone explain me a little bit more what is the folder \Install for and why we cannot see it?<BR />Does windows cleans after some patch update / bundle update, but this stays in memmory and Cortex Agent is able to dig it out?&nbsp;</P><P><BR />I can report it as an incorrect verdict, but firstly would like to know..<BR /><BR />Thank you.<BR />Lukas</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you.</P> Wed, 16 Feb 2022 14:48:50 GMT LukasB 2022-02-16T14:48:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466208#M1557 <P>Hello,&nbsp;</P><P>we started to have Cortex XDR alerts for *.tmp files, which refer to the C:\Windows\Install folder.</P><P>e.g.&nbsp;<SPAN>C:\Windows\Installer\MSI53B1.tmp</SPAN></P><P>Wildfire report says its Malware based probably on the:</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup">Attempted to sleep for a long period | Medium Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection. Created or modified a file in the Windows system folder | Medium The Windows system folder contains configuration files and executables that control the underlying functions of the system. Malware often modifies the contents of this folder to manipulate the system, establish persistence, and avoid detection.</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Interesting thing is that this folder does not exists on any of reported machines, incl. hidden folders.<BR />Can anyone explain me a little bit more what is the folder \Install for and why we cannot see it?<BR />Does windows cleans after some patch update / bundle update, but this stays in memmory and Cortex Agent is able to dig it out?&nbsp;</P><P><BR />I can report it as an incorrect verdict, but firstly would like to know..<BR /><BR />Thank you.<BR />Lukas</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you.</P> Wed, 16 Feb 2022 14:48:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466208#M1557 LukasB 2022-02-16T14:48:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466259#M1559 <P>Hi LukasB,</P><P>&nbsp;</P><P>Typically during an application install, it will create tmp file just like what you see, then after the install, it will clean those temp files that's why its gone. During that time of install execution, XDR will do its checking, thats the reason why you see those alerts.</P> Wed, 16 Feb 2022 16:35:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466259#M1559 jcandelaria 2022-02-16T16:35:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466454#M1561 <P>That's exactly what I thought.... what is the best practice? Exclude the folder from malware scan or... ? creating an exception can be potentially dangerous</P> Thu, 17 Feb 2022 09:00:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466454#M1561 LukasB 2022-02-17T09:00:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466655#M1562 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132156">@LukasB</a>&nbsp;Mark the incident as Resolved - False Positive since you're aware this is the case. There is no need to exclude any folder from Malware scans as you correctly stated - malicious actors can use temporary directories for staging and short-lived persistence.<BR /><BR />Furthermore, XDR Agents will monitor all running processes, raise alerts, perform detection/blocking actions and/or create incidents , whether or not the corresponding files were scanned in disk, and will flag accordingly upon execution.</P> Fri, 18 Feb 2022 02:14:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-and-windows-install-folder/m-p/466655#M1562 bbarmanroy 2022-02-18T02:14:41Z