topic Re: Cortex XDR blocks visual studio codes everytime in Cortex XDR Discussions

Cortex XDR blocks visual studio codes everytime

tejasp04 — Fri, 12 Nov 2021 05:38:54 GMT

We have observed that cortex XDR always blocks the code written in microsoft visual studio. General codes in C language like Hello world and addtion of two numbers is also geeting blocked in local analysis and it takes a lot of time to get verdict from wildfire to allow it. Usually whenever developer is running in debug mode this issue is faced and in debug they need to frequently change codes and debug it. When i discussed with one of palo alto support techinicial he suggested to whitelist the workspace folders or add signature and allow it which is not feasible solution as workspace paths keep changing per systems and users. Similar issue we observred for python codes also and after wildfire check that code shows as malware (false positive as many time when we report it as incorrect verdict gets changed).

Is there anyone who also faces same issue and found solution on this please help on this.
Thanks in advance.

Re: Cortex XDR blocks visual studio codes everytime

eluis — Fri, 12 Nov 2021 14:50:54 GMT

Hi Tejasp04,

I see here several things to do.

You could report a wrong verdict from WF and in 24h it should be updated on our side. You will be notify back on an email about this.

Hint: From key artifacts of the incident/alert open the WF report and on the upper right corner you can click to report the incorrect WF verdict.

Add an exception like a Global Digital Signer Exception. Please check if any other exception described on this doc could help you for other scenarios:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/exceptions-security-profiles/add-a-global-endpoint-policy-exception

I believe that this doc will be more suited to your specific need "Add a New Malware Security Profile". Here you can add signers to your allow list. (STEP 3, read point 4).
I also paste down bellow how local analysis works and why the former should work (adding a signer to your allow list)

Local analysis
—When an unknown executable, DLL, or macro attempts to run on a Windows or Mac endpoint, the Cortex XDR agent uses local analysis to determine if it is likely to be malware. On Windows endpoints, if the file is signed by a known signer, the Cortex XDR agent permits the file to run and does not perform additional analysis. For files on Mac endpoints and files that are not signed by a known signer on Windows endpoints, the Cortex XDR agent performs local analysis to determine whether the file is malware. Local analysis uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed with machine learning on WildFire threat intelligence. The model enables the Cortex XDR agent to examine hundreds of characteristics for a file and issue a local verdict (benign or malicious) while the endpoint is offline or Cortex XDR is unreachable. The Cortex XDR agent can rely on the local analysis verdict until it receives an official WildFire verdict or hash exception.
Local analysis is enabled by default in a Malware Security profile. Because local analysis always returns a verdict for an unknown file, if you enable the Cortex XDR agent to Block files with unknown verdict, the agent only blocks unknown files if a local analysis error occurs or local analysis is disabled. To change the default settings (not recommended), see Add a New Malware Security Profile.

I hope this helps

Good weekend,

Luis

Re: Cortex XDR blocks visual studio codes everytime

tejasp04 — Tue, 23 Nov 2021 06:08:06 GMT

Hi Eluis,

Thanks for your reponse.

I've checked above documents/article for exception profile and signer exception. But unfortunetly it didnt worked in my organization. As developer are creating exe by compiling the codes and running those directly, so signatures they are not addin g there and not required in there projects. For local analysis exception as checked visual code application is running/compiling that codes and geneating exe with powershell.exe process and creating exception for powershell.exe is not recommended in our org as it might lead to any other threat execution.

Very strange behaviour of XDR i observed when 1 developer was compiling and running code through visual code application. same code was generating diff hash valued exe every time so xdr was taking long time for analysis and it was in evaluation status for every time. So there are such case where user is frequenlty creating and running exe's and it not feasible every time to ask wildfire to recheck verdicts.

Is there anything which we can check more on this or creating exceptions is only way to resolve these issues.

Thanks in advance 😀

Re: Cortex XDR blocks visual studio codes everytime

eluis — Tue, 23 Nov 2021 07:59:00 GMT

Hi Tejasp04,

in this case I could recommend opening a support ticket. It might be that you need a support exception for your specific scenario.

At this point I believe this is the best option, this should solve your issue.

KR,

Luis

Re: Cortex XDR blocks visual studio codes everytime

Anil_Racharla — Wed, 24 Aug 2022 14:25:05 GMT

Hi Teja,
Have u found any way for this , we are also facing the same issue

Re: Cortex XDR blocks visual studio codes everytime

tejasp04 — Thu, 25 Aug 2022 03:56:30 GMT

Hi Anil,

Discussed same with support team multiple times and they are only suggesting to add exception rules in profile for affected user.

Adding Exceptipon profile worked in our case.