https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/m-p/495153#M2059 <P>To mitigate cve-2022-30190 i wanted to add the file hashes of the msdt.exe binary to the blocklist; but with no effect until now.<BR />The hashes occure in the logfile of the agent below hashcontrol as enabled, but verdict has a value "0".<BR />Is it possible, that windows binaries are excluded from blocking by default?<BR />i decided to block the binary for mitigation, because it's a minimal-invasiv approach, which can be reverted quickly if the issue is patched.</P> Tue, 31 May 2022 09:12:51 GMT RonaldWeiss 2022-05-31T09:12:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/m-p/495153#M2059 <P>To mitigate cve-2022-30190 i wanted to add the file hashes of the msdt.exe binary to the blocklist; but with no effect until now.<BR />The hashes occure in the logfile of the agent below hashcontrol as enabled, but verdict has a value "0".<BR />Is it possible, that windows binaries are excluded from blocking by default?<BR />i decided to block the binary for mitigation, because it's a minimal-invasiv approach, which can be reverted quickly if the issue is patched.</P> Tue, 31 May 2022 09:12:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/m-p/495153#M2059 RonaldWeiss 2022-05-31T09:12:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/m-p/496030#M2072 <P>Te sugiero sigas los siguientes pasos publicados por Microsoft hasta que tengas una respuesta por parted e Cortex Palo Alto.</P><P><A href="https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/" target="_blank">https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/</A>&nbsp;</P> Tue, 31 May 2022 17:59:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/m-p/496030#M2072 evillegas1992 2022-05-31T17:59:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/m-p/496690#M2077 <P>Hello,</P><P>as Luc mentioned here (<A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/m-p/496106/highlight/true#M2073" target="_self">https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/m-p/496106/highlight/true#M2073</A>&nbsp;) the use of custom prevention rules&nbsp; with the BIOC works lika a charm here.</P><P>So, this will be my solution until PA or Microsoft deliver a proper one. (Which, for PA, might be a BIOC, too <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> Wed, 01 Jun 2022 06:59:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-does-not-block-windows-binaries/m-p/496690#M2077 RonaldWeiss 2022-06-01T06:59:54Z