https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-is-unable-to-block-usb-viruses-the-reason-is-unknown/m-p/590161#M6839 <P>We recently encountered an issue where a user's computer got infected with a USB virus after inserting a USB drive. The virus uses USB Driver.exe to create some directories and malicious programs as shown in the attached image. Additionally, it uses vmnet.exe to load these DLL files. However, Cortex XDR did not block it.</P> <P>We have already enabled the blocking rules in the Malware settings, but it did not take effect. We also created BIOC rules using the hashes of these files and configured it to block these DLL files when they are loaded [under Restrictions &gt;&gt; Custom Prevention Rules (we have enabled and applied these BIOC rules)], but this method still did not block them.</P> <P>However, when using another computer without Cortex XDR installed, Windows Defender was able to block this behavior. Is there any other method to make Cortex XDR block this behavior?</P> <P>&nbsp;</P> <P>IOC Sha256&nbsp;</P> <P>f985ac059ee73509750b7558e7482d69e37db280b484d1c728efcd49bf6f58a7</P> <P>fd2a17e747fac2b5fcba3ea714a811baaa83f5c47625579c32b969c574c5ef24</P> <P>fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b</P> <P>986ea546af34333c4b50e64a8b8712aa7643bb74aed8c48c789abcd51972dfaf</P> <P>&nbsp;</P> Mon, 24 Jun 2024 04:47:42 GMT kentwuhc 2024-06-24T04:47:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-is-unable-to-block-usb-viruses-the-reason-is-unknown/m-p/590161#M6839 <P>We recently encountered an issue where a user's computer got infected with a USB virus after inserting a USB drive. The virus uses USB Driver.exe to create some directories and malicious programs as shown in the attached image. Additionally, it uses vmnet.exe to load these DLL files. However, Cortex XDR did not block it.</P> <P>We have already enabled the blocking rules in the Malware settings, but it did not take effect. We also created BIOC rules using the hashes of these files and configured it to block these DLL files when they are loaded [under Restrictions &gt;&gt; Custom Prevention Rules (we have enabled and applied these BIOC rules)], but this method still did not block them.</P> <P>However, when using another computer without Cortex XDR installed, Windows Defender was able to block this behavior. Is there any other method to make Cortex XDR block this behavior?</P> <P>&nbsp;</P> <P>IOC Sha256&nbsp;</P> <P>f985ac059ee73509750b7558e7482d69e37db280b484d1c728efcd49bf6f58a7</P> <P>fd2a17e747fac2b5fcba3ea714a811baaa83f5c47625579c32b969c574c5ef24</P> <P>fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b</P> <P>986ea546af34333c4b50e64a8b8712aa7643bb74aed8c48c789abcd51972dfaf</P> <P>&nbsp;</P> Mon, 24 Jun 2024 04:47:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-is-unable-to-block-usb-viruses-the-reason-is-unknown/m-p/590161#M6839 kentwuhc 2024-06-24T04:47:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-is-unable-to-block-usb-viruses-the-reason-is-unknown/m-p/590488#M6856 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/228205">@kentwuhc</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity. Since this requires investigation of activity to find the root cause please open a support case. Support team will be able to help you with blocking of this malware.&nbsp;</P> Wed, 26 Jun 2024 14:15:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-is-unable-to-block-usb-viruses-the-reason-is-unknown/m-p/590488#M6856 nsinghvirk 2024-06-26T14:15:17Z