topic Re: Signature Weak hash in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/signature-weak-hash/m-p/343176#M236 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/134482">@marcelocampos</a>&nbsp;</P><P>&nbsp;</P><P>Cortex XDR is going to calculate the hash of the file and check with WildFire if a verdict is known.&nbsp; If it is not known, the file (depending on config) will be uploaded for several checks:&nbsp; static analysis, dynamic analysis, and possible bare metal analysis.&nbsp; Once it has been analyzed, that verdict will be retained by WildFire.&nbsp; From that point on, if the file is deemed malware -- your option is to whitelist the file.&nbsp; If you believe that the file verdict is incorrect and you want another check, you can can submit it as an incorrect verdict.&nbsp; At that point, a member of our Unit 42 team, will check even deeper.</P><P>&nbsp;</P><P>Regardless of the verdict, if you're trying to investigate what is going on -- I would locate any alerts that are raised -- right click and analyze them.&nbsp; From there, you can get a great deal of information on what was / is going on.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Hope this helps.</P> Tue, 11 Aug 2020 01:54:58 GMT dfalcon 2020-08-11T01:54:58Z Signature Weak hash https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/signature-weak-hash/m-p/343130#M235 <P>Good day! community,</P><P>&nbsp;</P><P>I have a question, what treatment is given to executables that are signed as weak hash?</P><P>I understand that cortex XDR will block its execution.</P><P>Can it be excepted considering that it is a utility software?</P><P>The hash is unaltered and WF's verdict is benign.</P><P>What things should I verify or take into account as best practices to expedite the investigation and take actions on the alarms.</P><P>Thanks in advance.</P><P>Best regards.</P> Mon, 10 Aug 2020 21:54:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/signature-weak-hash/m-p/343130#M235 marcelocampos 2020-08-10T21:54:05Z Re: Signature Weak hash https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/signature-weak-hash/m-p/343176#M236 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/134482">@marcelocampos</a>&nbsp;</P><P>&nbsp;</P><P>Cortex XDR is going to calculate the hash of the file and check with WildFire if a verdict is known.&nbsp; If it is not known, the file (depending on config) will be uploaded for several checks:&nbsp; static analysis, dynamic analysis, and possible bare metal analysis.&nbsp; Once it has been analyzed, that verdict will be retained by WildFire.&nbsp; From that point on, if the file is deemed malware -- your option is to whitelist the file.&nbsp; If you believe that the file verdict is incorrect and you want another check, you can can submit it as an incorrect verdict.&nbsp; At that point, a member of our Unit 42 team, will check even deeper.</P><P>&nbsp;</P><P>Regardless of the verdict, if you're trying to investigate what is going on -- I would locate any alerts that are raised -- right click and analyze them.&nbsp; From there, you can get a great deal of information on what was / is going on.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Hope this helps.</P> Tue, 11 Aug 2020 01:54:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/signature-weak-hash/m-p/343176#M236 dfalcon 2020-08-11T01:54:58Z