https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-domain-controllers-exceptions/m-p/535473#M3915 <P><SPAN>Hi </SPAN><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/145475" target="_blank"><SPAN>@Majid1Khan</SPAN></A><SPAN>,</SPAN></P> <P>&nbsp;</P> <P><SPAN>I’ve taken a look at your list of exceptions received from Microsoft.&nbsp; It appears that some of them are individual files/file types.&nbsp; Others such as $db_normal$ appear to refer to a certain location on disk.&nbsp; Looking at this </SPAN><A href="https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide" target="_blank"><SPAN>Microsoft documentation</SPAN></A><SPAN> I was able to find references to what you were given.</SPAN></P> <P>&nbsp;</P> <P><STRONG>SYSVOL Exceptions</STRONG></P> <P><SPAN>$db_normal$ - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>FileIDTable_* - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>SimilarityTable_* - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>*.xml - </SPAN><STRONG>File Type</STRONG><SPAN>&nbsp;</SPAN></P> <P><SPAN>$db_dirty$ - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>$db_clean$ - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>$db_lost$ -</SPAN><STRONG> See below</STRONG></P> <P><SPAN>Dfsr.db - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>Fsr.chk - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>*.frx - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>*.log - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>Fsr*.jrs - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>Tmp.edb - </SPAN><STRONG>File Type</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_0-1679504249225.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48959i56FBC0554C9DD251/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_0-1679504249225.png" alt="anlynch_0-1679504249225.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_1-1679504249307.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48960iFE858FADEF0C7C02/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_1-1679504249307.png" alt="anlynch_1-1679504249307.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>In the screenshot above you can see a lot of the file types you mentioned in your previous post.&nbsp; I hope this helps clarify the exceptions you would need to input into Cortex XDR.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please reply to this comment if you have any further questions.&nbsp; We’re happy to help.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Have a great day!</SPAN></P> Wed, 22 Mar 2023 16:57:50 GMT anlynch 2023-03-22T16:57:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-domain-controllers-exceptions/m-p/535394#M3910 <P>Hi Team,</P> <P>&nbsp;</P> <P>We are having replication issues across the domain controllers and Microsoft is suspecting its an issue with Cortex and they want the the below files to be created as an exceptions across all our domain controllers.</P> <P>&nbsp;</P> <P>To rule out Cortex issue we thought we will put this DC's in report mode instead of Block, as it is a risk of keeping DC's in report mode for longer duration till the replication is completed.</P> <P>&nbsp;</P> <P>But im not able to add the below in the exclusions as it is not allowing this format in Cortex, please advise?</P> <P>&nbsp;</P> <P style="font-weight: 400;">The following will need to be exception in Cortex AV. Once exceptioned and the list of files waiting to be replicated drops then Microsoft will investigate further.</P> <P style="font-weight: 400;">&nbsp;</P> <P style="font-weight: 400;"><STRONG><U>SYSVOL Exceptions</U></STRONG></P> <P style="font-weight: 400;">$db_normal$</P> <P style="font-weight: 400;">FileIDTable_*</P> <P style="font-weight: 400;">SimilarityTable_*</P> <P style="font-weight: 400;">*.xml</P> <P style="font-weight: 400;">$db_dirty$</P> <P style="font-weight: 400;">$db_clean$</P> <P style="font-weight: 400;">$db_lost$</P> <P style="font-weight: 400;">Dfsr.db</P> <P style="font-weight: 400;">Fsr.chk</P> <P style="font-weight: 400;">*.frx</P> <P style="font-weight: 400;">*.log</P> <P style="font-weight: 400;">Fsr*.jrs</P> <P style="font-weight: 400;">Tmp.edb</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 22 Mar 2023 12:00:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-domain-controllers-exceptions/m-p/535394#M3910 Majid1Khan 2023-03-22T12:00:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-domain-controllers-exceptions/m-p/535433#M3913 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/145475">@Majid1Khan</a>,</P> <P>&nbsp;</P> <P>I'm researching this issue for you now and will get back to you as quickly as I can.</P> Wed, 22 Mar 2023 14:47:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-domain-controllers-exceptions/m-p/535433#M3913 anlynch 2023-03-22T14:47:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-domain-controllers-exceptions/m-p/535473#M3915 <P><SPAN>Hi </SPAN><A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/145475" target="_blank"><SPAN>@Majid1Khan</SPAN></A><SPAN>,</SPAN></P> <P>&nbsp;</P> <P><SPAN>I’ve taken a look at your list of exceptions received from Microsoft.&nbsp; It appears that some of them are individual files/file types.&nbsp; Others such as $db_normal$ appear to refer to a certain location on disk.&nbsp; Looking at this </SPAN><A href="https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide" target="_blank"><SPAN>Microsoft documentation</SPAN></A><SPAN> I was able to find references to what you were given.</SPAN></P> <P>&nbsp;</P> <P><STRONG>SYSVOL Exceptions</STRONG></P> <P><SPAN>$db_normal$ - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>FileIDTable_* - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>SimilarityTable_* - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>*.xml - </SPAN><STRONG>File Type</STRONG><SPAN>&nbsp;</SPAN></P> <P><SPAN>$db_dirty$ - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>$db_clean$ - </SPAN><STRONG>See below</STRONG></P> <P><SPAN>$db_lost$ -</SPAN><STRONG> See below</STRONG></P> <P><SPAN>Dfsr.db - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>Fsr.chk - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>*.frx - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>*.log - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>Fsr*.jrs - </SPAN><STRONG>File Type</STRONG></P> <P><SPAN>Tmp.edb - </SPAN><STRONG>File Type</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_0-1679504249225.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48959i56FBC0554C9DD251/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_0-1679504249225.png" alt="anlynch_0-1679504249225.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anlynch_1-1679504249307.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48960iFE858FADEF0C7C02/image-size/medium?v=v2&amp;px=400" role="button" title="anlynch_1-1679504249307.png" alt="anlynch_1-1679504249307.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>In the screenshot above you can see a lot of the file types you mentioned in your previous post.&nbsp; I hope this helps clarify the exceptions you would need to input into Cortex XDR.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please reply to this comment if you have any further questions.&nbsp; We’re happy to help.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Have a great day!</SPAN></P> Wed, 22 Mar 2023 16:57:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-domain-controllers-exceptions/m-p/535473#M3915 anlynch 2023-03-22T16:57:50Z