topic Re: Evasion Technique - 3348100960 in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/evasion-technique-3348100960/m-p/566388#M5581 <P>Started a support case and it was determined to be a false positive and will be fixed in the next content release (1190).</P> Mon, 27 Nov 2023 19:47:30 GMT CJNTS 2023-11-27T19:47:30Z Evasion Technique - 3348100960 https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/evasion-technique-3348100960/m-p/565595#M5534 <P><SPAN class=""><SPAN>“Behavior of hiding RWX code by modifying it to RX”</SPAN></SPAN></P> <P><SPAN class="">I've been seeing this alert that is considered high criticality and is blocking Windows updates. </SPAN></P> <P>&nbsp;</P> <P><SPAN class="">Everything I can see says that this is benign. </SPAN></P> <P><SPAN class="">XDR is saying that the Windows process is a non-whitelist CGO. I've verified that this is the legitimate Microsoft WerFault.exe<BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CharlieJohnstonNTS_0-1699971904273.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55163iD9D6C059DFF8BCAA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CharlieJohnstonNTS_0-1699971904273.png" alt="CharlieJohnstonNTS_0-1699971904273.png" /></span></P> <P>&nbsp;</P> <P>There is no description of what is triggering this alert, there is no description of this evasion technique, and the causality chain is very little help.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CharlieJohnstonNTS_1-1699972124759.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55165iE4BD256320A867A7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CharlieJohnstonNTS_1-1699972124759.png" alt="CharlieJohnstonNTS_1-1699972124759.png" /></span></P> <P>I've also verified that the behavior is caused when a user tries to update, or an automatic update starts.</P> <P>Is anyone having a similar issue where XDR is blocking Windows updates?</P> <P><SPAN class="">&nbsp;</SPAN></P> Tue, 14 Nov 2023 14:30:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/evasion-technique-3348100960/m-p/565595#M5534 CJNTS 2023-11-14T14:30:04Z Re: Evasion Technique - 3348100960 https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/evasion-technique-3348100960/m-p/566388#M5581 <P>Started a support case and it was determined to be a false positive and will be fixed in the next content release (1190).</P> Mon, 27 Nov 2023 19:47:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/evasion-technique-3348100960/m-p/566388#M5581 CJNTS 2023-11-27T19:47:30Z