topic Wildfire Test File in Cortex XDR Discussions

Wildfire Test File

Chris_Dietz — Fri, 17 Feb 2023 15:43:55 GMT

Has anyone had issues with the Wildfire Test file not showing up as an alert in the cloud? On the workstation it's getting blocked just fine. I haven't had a regular alert fire in about 2 months. Just wondering if I have an underlying communication issue. Also looked at the logs to verified no proxies are setup.

Re: Wildfire Test File

mavraham — Sun, 19 Feb 2023 17:07:17 GMT

Hi @Chris_Dietz

Thank you for writing to Live Community.

What you’re describing could stem from a variety of reasons.

1. You mention you have not seen an alert in months, are you using the same test pe file on both machines? Have you tried downloading a new test pe file and checking if it generates alerts in your cloud environment?

2. If downloading a new file does not trigger the alerts again, please take a look at the alert exclusions configurations by going into Settings → Exception Configuration → Alert Exclusions and check if there’s an existing rule to suppress this type of alerts.

3. If you did not find it under alert exclusion, please go into IOC/BIOC suppression settings by going into Settings → Exception Configuration → IOC/BIOC Suppression Rules and make sure there is no suppression rule set to prevent the test pe file from running.

4. You raised concerns about the file not getting blocked. Can you log into your VM and try a custom scan? You can initiate a scan on demand to examine a specific file or folder. If there aren’t any settings allowing this specific file to run (hash-allow list or exception) it should be blocked.

Please let me know if any of these steps helped!

Re: Wildfire Test File

Chris_Dietz — Mon, 20 Feb 2023 12:39:12 GMT

Hi, yes I tried the same test pe file on both machines. I downloaded a fresh copy to see if anything changed, and it had not. Verified no exceptions this morning in both places you recommended. Currently running a malware scan now to see if it will pick it up.

The strange thing is that it will block it on the local machine, however I'm not getting a cloud alert for it. I noticed that there was a hot fix CPATR-18853 that might have something to do with it. Any ideas on what to do from here?

Re: Wildfire Test File

Chris_Dietz — Mon, 20 Feb 2023 12:55:20 GMT

Also ran a custom scan on the file itself. It identifies correctly as a suspicious file, however the alert is not getting to the cloud and I'm not getting an email notification. Thanks for the steps. I'm going to make some notes and initiate a support ticket.

Re: Wildfire Test File

mavraham — Mon, 20 Feb 2023 17:47:04 GMT

Thanks for sharing @Chris_Dietz.

In this instance, a support ticket would indeed be more useful, as you'd be able to share with us screenshots and configurations you wouldn't want to exposed in a public forum.

Just a quick note - email notification exclusions are different than alert exclusions. However, if you're not seeing the alert at all then a support ticket is still warranted.

Hope you are able to solve this quickly.