topic Re: File search and destroy in Cortex XDR Discussions

File search and destroy

RamyashreeMada — Thu, 07 Sep 2023 12:25:27 GMT

Hello Team,

We are unable to delete certain file due to the error "Access is denied".

Is there any other way to delete these files.

Re: File search and destroy

abdrahman — Thu, 07 Sep 2023 16:26:13 GMT

Thank you for reaching out to live community. Please note that we do have a feature known as search and destroy malicious files in Cortex XDR.

This feature helps you in searching for specific files according to the file hash, the file full path, or a partial path using regex parameters from the Action Center or the Query Builder. After you find the file, you can quickly select it in the search results and destroy the file by hash or by path. You can also destroy a file from the Action Center, without performing a search, if you know the path or hash. When you destroy a file by hash, all the file instances on the endpoint are removed.

For further details please find the Document provided below with detail steps on how to configure this feature. Thank you:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Search-and-Destroy-Malicious-Files

If you find this answer relevant to resolve your query, then please mark this as a Solution. Thank you.

Re: File search and destroy

MosR — Mon, 11 Sep 2023 18:12:48 GMT

The response is more general and specific to the issue presented by the user. I think you get access denied because the file is already being used or locked by windows, the best way to delete is from software center. But don't take my word for it, I'm still researching this issue too. I was also under the impression that Cortex xdr agent has elevated privileges, so it should not be permission level issues.