topic Re: Cortex XDR agent and EICAR malware test file in Cortex XDR Discussions

Cortex XDR agent and EICAR malware test file

stig_72 — Mon, 22 Jan 2024 09:47:30 GMT

Hi team,

It feels like I'm missing something and so would appreciate of someone could explain to me why the XDR agent on Windows (latest 8.2.1 with block policy) is not reacting to EICAR malware test file (X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H)? I tried malware scan on the file but the agent reported it clean. I fully realise it's a dummy file but thought XDR still had it in its database for testing purposes.

There's no other AV or EDR solution present on that server, FYI.

The malware test PE file that Palo provides works like a charm by the way.

https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analysis/verify-wildfire-submissions/test-a-sample-malware-file

Any insight will be appreciated, thank you.

Re: Cortex XDR agent and EICAR malware test file

abdrahman — Thu, 25 Jan 2024 13:55:40 GMT

Hello @stig_72,

Hope you are doing well. And thank you for reaching out to the Live Community. I understand that you are trying to test Cortex XDR with EICAR file, however, please note that Cortex does not detect this file as a malware for legitimate reasons. I do understand that EICAR file is used for testing universally, but the fact that it is a dummy file remains constant.

If you would like to test Cortex XDR you can use our Malware test file using Wildfire APIs and each time you get a new different malicious hash, which could be used for testing. Please find the link below, thank you:

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/get-wildfire-information-through-the-wildfire-api/get-a-malware-test-file-wildfire-api

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Cortex XDR agent and EICAR malware test file

stig_72 — Thu, 25 Jan 2024 14:14:17 GMT

It's all good, I figured as much. I suppose it'd be good to have that referenced somewhere in official Palo Alto resources regarding XDR, so one could easily point their clients to it in case there's questions like that. Cheers.