topic Re: Cortex XDR quarantined Chrome in Cortex XDR Discussions

Cortex XDR quarantined Chrome

LCMember4420 — Wed, 08 Feb 2023 22:42:53 GMT

Anyone else running into this today?

Prevention Information: Prevention date: Wednesday, February 8, 2023 Prevention time: 1:36:40 PM OS version: 10.0.22621 Component: Hash Control Cortex XDR code: C0400055 Prevention description: Suspicious executable detected Verdict: 2 Quarantined: True Post-Detected: False

https://www.reddit.com/r/paloaltonetworks/comments/10xclj0/cortex_xdr_putting_chrome_in_quarantine/

Re: Cortex XDR quarantined Chrome

etugriceri — Fri, 10 Feb 2023 09:39:44 GMT

Hi @LCMember4420

Could you share the hash of the file ?

"Suspicious executable detected" is generally producing by "Local analysis module" , Please check WF verdict and if binary is google binary ( I mean published by google), You can add hash into Allow list.

Re: Cortex XDR quarantined Chrome

fmoixsante — Fri, 10 Feb 2023 11:49:55 GMT

Hi @LCMember4420,

Component: Hash Control, means that the hash associated to that application has been added to the Deny List in Action Center. Could you please get the Initiated SHA-256 value, go to Action Center > Deny list and filter by that value? I believe that you will see it there. If you see it there, you can remove it from that list.

Please note, Wildfire and Local Analysis are automated processes within Cortex XDR, and it is always recommended to rely on this process. However, Cortex XDR admins can override the Wildfire/ Local Analysis Verdict by adding hashes in the Allow/Deny List in Action Center and if a hash that is in the Deny list is executed, it will create an alert with Module=Hash Control.