https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/392204#M631 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/162770">@JoeDay</a>,</P><P>&nbsp;</P><P>It appears that you are trying to collect the local verdict for a file on an endpoint by extracting the wf_verdicts.db file. Currently, there's no public documentation available to share regarding the file. Would you like to explain that goal that you have in mind that would potentially utilize this information?</P> Thu, 18 Mar 2021 21:12:38 GMT gjenkins 2021-03-18T21:12:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/391876#M624 <P><SPAN>Exported&nbsp;wf_verdicts.db from an endpoint to validate local verdicts. Is there any reference for return codes and their meanings?</SPAN></P><P>&nbsp;</P><P><SPAN>example:</SPAN></P><P>"value": {<BR />"verdict": 3,<BR />"lruData": {<BR />"lastUsed": "1613061210",<BR />"index": "65945"</P> Wed, 17 Mar 2021 22:33:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/391876#M624 JoeDay 2021-03-17T22:33:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/392204#M631 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/162770">@JoeDay</a>,</P><P>&nbsp;</P><P>It appears that you are trying to collect the local verdict for a file on an endpoint by extracting the wf_verdicts.db file. Currently, there's no public documentation available to share regarding the file. Would you like to explain that goal that you have in mind that would potentially utilize this information?</P> Thu, 18 Mar 2021 21:12:38 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/392204#M631 gjenkins 2021-03-18T21:12:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/393951#M645 <P>Hi,</P><P>&nbsp;</P><P>I'd also like to point out that the local hash cache can be queried on Windows Endpoints using the following command which is more user-friendly than viewing the db file.</P><P>&nbsp;</P><P>&nbsp; &nbsp;&nbsp;<SPAN>cytool wf query [&lt;hash&gt;]</SPAN></P><P>&nbsp;</P><P>Note: The supervisor password is required to issue this command.</P><P>&nbsp;</P><P>Source:&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-0/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool.html" target="_blank">https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-0/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/troubleshoot-cortex-xdr-for-windows/cytool.html</A></P> Thu, 25 Mar 2021 16:06:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/393951#M645 gjenkins 2021-03-25T16:06:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/397359#M658 <P>The verdicts handling was changed in version 7.2.</P><P>&nbsp;</P><P>To check (verify) the verdict on the agent.</P><OL><LI>Export the entire wf_verdicts.db using cytool command: cytool persist export wf_verdicts.</LI><LI>Open the resulted JSON file using Text editor and search on the hash</LI></OL><P>Verdicts:<BR />Invalid = 0,<BR />Benign = 1,<BR />Malware = 2,<BR />Unknown = 3,<BR />Grayware = 4,<BR />NoConnection = 5</P> Mon, 12 Apr 2021 21:01:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wf-vericts-json-file-verdict-values/m-p/397359#M658 JoeDay 2021-04-12T21:01:48Z