Cortex XDR: False Positive detection of VulnDetect scripts

VulnDetect — Fri, 04 Nov 2022 10:33:34 GMT

Hi,

A number of our customers has complained about our signed PowerShell scripts being flagged and, in some cases, blocked by Cortex XDR.

The scripts in question can be found here:

https://stream.vulndetect.com/e/task.ps1

https://stream.vulndetect.com/e/functions.ps1

https://stream.vulndetect.com/e/VulnDetectMaintenance.ps1

Other than signing the scripts and asking customers to whitelist our signing certificate (which doesn't seem to suffice), what is the proper cause of actions to help our customers not getting these false positives?

The scripts are used as "wrappers" for running installers to upgrade software installations and doing some maintenance of temporary task folders.

Kind regards,

Tom

SecTeer - https://secteer.com/

VulnDetect - https://vulndetect.org/

Re: Cortex XDR: False Positive detection of VulnDetect scripts

neelrohit — Fri, 04 Nov 2022 10:53:26 GMT

Hi @VulnDetect ,

These seems to be some scripts which are doing discovery on process actions and hence this is categorised by cortex XDR as a script based attack.

This is a post execution module detection and signer whitelists are not going to work for this. Please ask your customers to create alert exceptions for the same and retrieve the alert data and send it to engineering for investigation and fix. If the engineering declares this as a legit action, they will add the fix in the content updates and once your endpoints get the CU, you can ask to remove the alert exceptions for the same and it should not be blocked.

Hope that answers your question!

Regards

topic Cortex XDR: False Positive detection of VulnDetect scripts in Cortex XDR Discussions

Cortex XDR: False Positive detection of VulnDetect scripts

Re: Cortex XDR: False Positive detection of VulnDetect scripts