topic Re: XDR AV Scan Alerts/Incidents in Cortex XDR Discussions

XDR AV Scan Alerts/Incidents

RamyashreeMada — Wed, 08 Nov 2023 09:58:29 GMT

Hello Team,

During AV scan, everytime we are recieving cache file is detected from the different hosts and filename and Hash is same. The file verdict is Benign.

Help me how can I address this file. As it is a temporary file.

Re: XDR AV Scan Alerts/Incidents

aspatil — Thu, 09 Nov 2023 08:54:42 GMT

Hello Ramyashree,

Thank you for writing to live community.

Could you please confirm whether you have checked which application is creating the cache file. Is that file creating in same location or different location?

Regards

Re: XDR AV Scan Alerts/Incidents

RamyashreeMada — Thu, 09 Nov 2023 09:06:18 GMT

Microsoft Edge is creating the cache file and file creating on same location.

Re: XDR AV Scan Alerts/Incidents

aspatil — Thu, 09 Nov 2023 09:43:47 GMT

Hello @RamyashreeMada ,

You can check with Microsoft or lookup the hash on Virus Total. As Hash and file name is same, you can create an exclusion or add it to the allow list.

Note: Exclusion are done on the organizational decision.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: XDR AV Scan Alerts/Incidents

neelrohit — Thu, 09 Nov 2023 15:16:52 GMT

Hi @RamyashreeMada ,

To just add to previous responses. There is a possibility that these cached files are removed after some time and by the time WF verdict is generated the endpoint fails to take the update in the local cache as the file is no more available. Also, I would like to know if you see the verdict as "Benign" or it says "Benign LC" ? Benign LC means that the WF is not confident on the verdict and lets Local analysis module examine the file and take a decision. However, local analysis engine declares this as a malware and hence the alert event. In these corner cases, making allow lists is good to go on SHA256 level.

In such cases you can report the verdict as incorrect and request re-examination of the file manually. The next time, the verdict should come as a solid verdict ("Benign" or "Malware").
Though your query is slightly broad by nature, it would be narrowed down with some screenshots if you could be able to provide one. The screenshots below are not same. Hence, you might want to check for this.

Another possibility, I would be more interested in knowing if this is constantly being faced by endpoints of a specific agent version or is it across? This is something that I am considering that the verdict is a solid "Benign" and not "Benign LC".

The reason being is that we have historically had a known issue on the endpoints where they failed to update the WF local cache on the endpoint and the solution was to upgrade XDR agents to the releases fixing this issue. I would also recommend taking up some alert dump files for the same SHA256 prevention event on the endpoint and a TSF from the endpoint and opening a support case for the same.

Hope this helps! Please mark the response as "Accept as Solution" if it answers your query.

Re: XDR AV Scan Alerts/Incidents

RamyashreeMada — Thu, 09 Nov 2023 17:06:05 GMT

Thanks for the information.

Please find the details below:

The file verdict is "Benign LC".
Currently we are using 8.0.2 agent version on all endpoints.

Re: XDR AV Scan Alerts/Incidents

neelrohit — Thu, 09 Nov 2023 17:21:52 GMT

Makes sense now. So, you need to either whitelist the hash for the time being and then report the verdict as incorrect.

Steps below:

Log into Cortex XDR/XSIAM; in the Incident with a wrong verdict for a sample
Open detailed WildFire Analysis Report for the sample with the wrong verdict,
Use a button “Report Verdict as Incorrect” to open a new menu. Add your comments with proper verdict chosen and simply mention in the comments as "This is categorised as Benign LC and seems to Edge cache files. Please review and verdict accordingly. I am selecting <your choice of verdict> verdict for now"
Fill in the Verdict Change Request with a suggestion of a new verdict, your contact email, and a short explanation why you believe this verdict is incorrect. After the manual review is completed, a report will be sent to the email address you used here.
Once the verdict is recieved and if found benign, then it is converted to solid benign and you can remove the SHA256 from your allowlist

Hope this clarifies.