topic Legacy Agent Exception in Cortex XDR Discussions

Legacy Agent Exception

JahidAliyev — Thu, 22 Feb 2024 11:07:27 GMT

Hello,

I have a file and when I run it, Cortex XDR blocks it and shows me some information:
"""

Application information:
Application name: Windows Explorer
Application version: 10.0.22621.3007
Application publisher: Microsoft Corporation
Process ID: 20676
Application location: C:\Windows\explorer.exe
Command line: C:\WINDOWS\Explorer.EXE
File origin: Hard drive on this computer

Target application information:
Application name: Java(TM) Platform SE binary
Application version: 21.0.2.0
Application publisher: Oracle Corporation
Process ID: 2432
Application location: C:\Program Files\Java\jdk-21\bin\javaw.exe
Command line: "C:\Program Files\Java\jdk-21\bin\javaw.exe" -jar "C:\Users\ayxanp\AppData\Local\Temp\961644af-8259-4735-a751-8b545a44ed02_apache-jmeter-5.6.3.tgz.d02\apache-jmeter-5.6.3\bin\ApacheJMeter.jar"
File origin: Hard drive on this computer

Prevention information:
Prevention date: Thursday, February 22, 2024
Prevention time: 11:30:43
OS version: 10.0.22631.2.0.0.256.1
Component: Child Process Protection
Status code: 80400057
Prevention description: Suspicious process creation detected
Additional information 1: explorer.exe
Additional information 2: C:\Program Files\Java\jdk-21\bin\javaw.exe
Additional information 3: -jar "C:\Users\ayxanp\AppData\Local\Temp\961644af-8259-4735-a751-8b545a44ed02_apache-jmeter-5.6.3.tgz.d02\apache-jmeter-5.6.3\bin\ApacheJMeter.jar"
Additional information 4: ChildProcessPattern: *\javaw.exe, Flag: D, CommandLineRegex: ((?i)([-/]jar\s+\"?((\Q%temp%\E)|(\Q%templong%\E)|(\Q%SystemDrive%\E\\Users\\.*\\temp)|(\Q%SystemDrive%\E\\docume.*\\temp))\\.*))

"""

I need to create legacy agent exception for that. When I go to this page, I choose "Malware > Malicious Child Process Protection" as module and it requires me to fill three things which are:
1. Parent Process Name
2. Child Process Name
3. Child Process Command Line Params

Can you tell me what should I write to these three fields according to my case? And, can you tell me whether I chose the module correct or not?

Re: Legacy Agent Exception

jmazzeo — Fri, 23 Feb 2024 13:19:41 GMT

Hi @JahidAliyev, thanks for reaching us using the Live Comminty.

Looks like is a user starting a Java process that calls a jar file.

Try with this:

1. Parent Process Name: explorer.exe
2. Child Process Name: javaw.exe
3. Child Process Command Line Params: -jar "C:\Users\ayxanp\AppData\Local\Temp\961644af-8259-4735-a751-8b545a44ed02_apache-jmeter-5.6.3.tgz.d02\apache-jmeter-5.6.3\bin\ApacheJMeter.jar"

Let me know if that works.

Re: Legacy Agent Exception

Arman_Zaheri — Thu, 04 Apr 2024 11:44:38 GMT

I also face the same problem on multiple clients, but I didn't understand how your approach is different?

Re: Legacy Agent Exception

Arman_Zaheri — Thu, 04 Apr 2024 12:09:36 GMT

I also tested something very interesting. I tried to run a JAR files directly (out of an archive like 7z, tgz and so on) and it executed without any problem. Then, in the second scenario, I put the JAR file into a 7z archive and tried to executed it from inside the archive and suddenly Cortex blocked it.

So, you can also extract your TGZ archive and try to run your JAR file.