topic Can Wildfire/Cortex XDR be Tweaked From Backend in Cortex XDR Discussions

Can Wildfire/Cortex XDR be Tweaked From Backend

chukaokonkwo — Tue, 15 Mar 2022 21:37:35 GMT

Hi guys,

We get a lot of false positives from Wildfire where it's reporting custom applications used on a "business as usual" (BAU) basis in our environment. Do you folks know if there are settings from the Wildfire backend that Palo Alto normally adjusts for customers so to decrease the sensitivity of the Wildfire engine where it's not reporting so many false positives?

p.s. pardon me if this sounds like a rookie question.

Re: Can Wildfire/Cortex XDR be Tweaked From Backend

bbucao — Tue, 15 Mar 2022 22:56:19 GMT

Hi Chukaokonkwo,

There are a variety of tuning options within XDR to help reduce False Positives and any adverse impact to normal operations. You can add the sha256 file hash of the application to the allow list located in the Action Center which will allow the applications to execute and therefore override the Wildfire verdict. Within the Malware profile itself you are able to allow PE's and DLL's to run based off of a list of approved signers, or by adding file/folder paths into the allow list for that module. Reference step 3 sub steps 3 and 4 in the documentation linked below for instructions on how to accomplish this.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-profiles/add-malware-security-profile

Best Regards,

Ben

Re: Can Wildfire/Cortex XDR be Tweaked From Backend

bbarmanroy — Wed, 16 Mar 2022 01:30:30 GMT

Hi @chukaokonkwo to add on to what @bbucao suggested for tactical fixes, you should also raise a Verdict Change Request within Cortex XDR console or raise a Support ticket with the hash/sample for a systemic fix. The Wildfire verdicts should reflect the nature of the applications being run.

Re: Can Wildfire/Cortex XDR be Tweaked From Backend

MartinPfeil — Wed, 16 Mar 2022 10:40:31 GMT

Unfortunatly Wildfire produces a lot of false positives, we have to unblock and whitelist Cygwin binaries in regular intervals. Of course, I report the incorrect verdict to PA and it is reversed in a short time. But that doesn't help with binaries blocked initally using an incorrect verdict. Apart from adding known hashes to the whitelist, the only workable solution I found out is to exclude known folders from being scanned. Of course, this is not very secure and has it's own issue but it allows our developers to continue with their business

Re: Can Wildfire/Cortex XDR be Tweaked From Backend

chukaokonkwo — Wed, 16 Mar 2022 15:12:16 GMT

Wow, so this high rate of false positives cannot be tweaked from the Palo Alto side of the house huh?? ...you're literally limited to having to create exceptions for the legitimate hashes one-at-a-time?

Re: Can Wildfire/Cortex XDR be Tweaked From Backend

bbucao — Wed, 16 Mar 2022 15:58:19 GMT

Hi Chukaokonkwo,

The Wildfire malware team is constantly working to keep up with evolving threats while maintaining a high fidelity rate. The risk of false negatives is generally viewed as more dangerous to an organization than the risk of false positives. Custom applications can at times cause Wildfire (or any sandbox) to flag as malware due to the behavior of the application if it resembles behavior patterns commonly seen in malware. As rare as these false positives may be on a large scale, I understand that it can be frustrating to deal with when they are affecting your organization. For that reason Cortex XDR offers a variety of ways to handle these. If handling these individually by either submitting Verdict Change Requests or adding to a sha256 hash allow list is not feasible or desirable, consider adding the digital signature of your organizations custom applications to the malware profiles allow list, that way any application that is signed by your organization will not be prevented from running by Wildfire.

Best Regards,

Ben

Re: Can Wildfire/Cortex XDR be Tweaked From Backend

eumbach — Tue, 29 Mar 2022 22:49:56 GMT

Yep we currently have over 2100 "Allowed" hashes (growing 300+ a month) and had to drag our dev team kicking and screaming to sign every tiny little application across the entire environment. And still get about 700 LC alerts a week.