topic Re: Cortex XDR not detecting malicious files in Cortex XDR Discussions

Cortex XDR not detecting malicious files

Anil_Racharla — Thu, 09 Jun 2022 03:57:25 GMT

Hi ,
Why Cortex XDR is not detecting malicious files which are present in system.
for testing purpose I have downloaded a test malware also but it is not reflected after the malware scan.Can anyone please give clarity on this.
Does Cortex detects malicious files only when they are executed ?
Does Cortex XDR don't detect files which are not executed and simply lied down in the system ? In case if we want know the unexecuted Malicious files and get the alert for the same, do we need to add any other features/licenses ?

Re: Cortex XDR not detecting malicious files

mfakhouri — Thu, 23 Jun 2022 22:17:46 GMT

Hi @Anil_Racharla,

1. Cortex XDR’s default malware policy rules utilize both pre-execution and post-execution malware protection. WildFire is used for pre-execution and executes several checks:

WF static analysis
Machine learning
Dynamic analysis
Bare metal

The file will go to Local Analysis if there is no verdict to be found with WF. Cortex XDR post-execution malware prevention includes: behavior threat protection, anti-ransomware, password theft protection, and child process protection.

2. Cortex XDR malware scans check for dormant malware and differs from the protection leveraged during the malware execution. These scans can be done either manually or periodically with prevention profiles and do not require any additional features/licenses.

Here is a relevant, high-level graphic illustrating Cortex XDR file analysis:

Are you expecting dormant detection or a detonation that may have been missed by the Cortex XDR agent? Are you able to share any hash info for verification?

Re: Cortex XDR not detecting malicious files

Anil_Racharla — Sat, 13 Aug 2022 16:40:20 GMT

thanks a lot ,
I am looking for dormant detection.

Re: Cortex XDR not detecting malicious files

neelrohit — Wed, 17 Aug 2022 07:36:31 GMT

Hi @Anil_Racharla ,

Cortex XDR though does dormant file detection, but it is designed to be an execution based detection and prevention solution. Often malwares or malicious files are zipped and compressed with different folders or other files(like jpg files, zip files, etc.). Changing the form factor and entity of the file also changes the property and the hashing of the file. The actual zipped/modified file may not be malicious, but upon execution it opens up a new child executable which might be a malware altogether. The resulting causality chain is malicious and should be the one to be detected and prevented accordingly.

Do check for file properties and criteria. Also, you might want to check the policy configuration of the endpoint agent you are testing the samples on.

Re: Cortex XDR not detecting malicious files

nikoolayy1 — Thu, 01 Sep 2022 15:05:29 GMT

Also look at the Exploit Profiles as when the virus tries to use a process to start the attack the XDR to monitor that process with an exloit profile so that you are protected from attacks that use not infected file but an application vunrability like buffer overflow etc. and the Restrictions Profiles are nice to limit the attack surface.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-profiles

Also run configure automatic periodic scans for what you want:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoints/scan-endpoint-for-malware

Re: Cortex XDR not detecting malicious files

nikoolayy1 — Thu, 13 Oct 2022 21:25:26 GMT

If you managed to get the needed answers, please flag the question as answered.