topic Re: False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection in Cortex XDR Discussions

False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

Rindsland — Fri, 21 Jan 2022 14:13:55 GMT

Hi we see a problem with a powershell Script we are using to clean up Profiles on some specific Remote Session Host Servers.

It will be blocked by Cortex XDR Pro and so I want to make an Exception for this.

Unfortunately it seems only possible to do an Alert Exception for this and so it will allow the Initiator CGO "Powershell.exe"

for the Ransomware Module in General, which seems to be a bit to dangerous for me.

I didn't found anything to allow just the Powershell Script + Path + Systemname (for example) instead of powershell.exe.

You can edit very granular Exclusions but it seems to be not possible to do the same for exceptions, or?

Is there maybe something other, I can do, to allow the Script without giving any powershell script free to run?

Kind Regards

Marcus

Re: False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

bbarmanroy — Mon, 24 Jan 2022 02:39:56 GMT

Hi @Rindsland, your question seems to be similar to this. You can create a Malware Profile (Step 3, sub-step 3) allowing the PS script (full path) to be exempted from analysis and associate it with a policy that is applied to the selected set of servers.

If this works for your case, please let us know if it worked, and accept the response as a solution for others to refer to and follow.

Re: False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

Rindsland — Mon, 24 Jan 2022 07:41:41 GMT

Hi @bbarmanroy , it comes from Module Anti-Ransomware Protection, so I am not sure, if it really helps here, but I will give it a try.

Looks for me that the Anti-Ransomware Modul doesn't have really a exception, or?

I am also aware that I also can stop the Modul completely via Malware Profile on our Remote Session Host Servers, but I think you will also agree, that this not a good idea.

Anyway thank you for your Input and trying to help for finding a Solution for this.

Best regards

Marcus

Re: False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

bbarmanroy — Mon, 24 Jan 2022 10:00:33 GMT

Hi @Rindsland the Powershell script that you're trying to execute is vetted and trusted within your organization, if I understand correctly. If Cortex XDR is flagging it as a ransomware and preventing it from executing, that is because the script possibly has some actions that are similar in nature to a ransomware. Which is good - it is a sign that you're running the Ransomware module protection in Block mode!

Coming back to your need, what I am recommending is for you to create an Exception only for that trusted script, and apply it to only those set of servers. No other modules or protections are being disabled, for anything else that is running in your organization.

The recommendation is:

1. create a copy of your existing Malware profile that is currently applied to those servers.

2. Edit the new Malware profile to create an exception for the trusted powershell script.

3. Create a new policy that will apply the Malware profile to the specific set of servers.

Hope this clarifies my recommendation.

Re: False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

eumbach — Wed, 25 Jan 2023 15:53:13 GMT

@bbarmanroy Where? I don't see anything under this module.

Re: False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

bbarmanroy — Thu, 26 Jan 2023 07:37:46 GMT

Hey @eumbach , you'll need to perform the action under PE and DLL examination (step 3c) and see if that meets your requirements.

Re: False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

eumbach — Wed, 22 Feb 2023 20:39:14 GMT

That's a directory not a CGO.