https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/594247#M7046 <P>Hi, I've added an alert exception for the detected file (<SPAN>PhotosService.exe)&nbsp;</SPAN>but&nbsp;<SPAN>Behavioral threat detected (rule: bioc.sync.critical_termination) is still being triggered when I try to launch the Photos app.</SPAN></P> Wed, 07 Aug 2024 14:58:49 GMT jdbst56 2024-08-07T14:58:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/594174#M7039 <P>Over the past two weeks we have been seeing detections/blocks from the following rule "<SPAN>Behavioral threat detected (rule: bioc.sync.critical_termination)" for known good files&nbsp;7z2301-x64.exe (7-zip install) and PhotosService.exe (part of built-in Windows Photos app).&nbsp; We only see the detections on a few systems, many systems have these same files without any detections.&nbsp; VirusTotal shows both files as clean and WildFire indicates they are benign.&nbsp; What is causing these detections to keep recurring for Behavioral threat detected (rule: bioc.sync.critical_termination) for these files only on certain systems?</SPAN></P> <P>&nbsp;</P> <P><SPAN>We have a case open since early last week but have not made any progress on this issue so I thought I would post here.</SPAN></P> Tue, 06 Aug 2024 17:26:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/594174#M7039 jdbst56 2024-08-06T17:26:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/594211#M7043 <P>While the case is analyzed and If it's a false positive then you can right click on the alert and add alert exception.. select the files based on which you want to add exception.&nbsp;</P> <P>&nbsp;</P> <P>This would make sure that alert is not triggered again on those files by that specific rule.</P> <P>&nbsp;</P> <P>You can later review your exception based on the case feedback&nbsp;</P> Wed, 07 Aug 2024 07:03:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/594211#M7043 Fm12345 2024-08-07T07:03:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/594247#M7046 <P>Hi, I've added an alert exception for the detected file (<SPAN>PhotosService.exe)&nbsp;</SPAN>but&nbsp;<SPAN>Behavioral threat detected (rule: bioc.sync.critical_termination) is still being triggered when I try to launch the Photos app.</SPAN></P> Wed, 07 Aug 2024 14:58:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/594247#M7046 jdbst56 2024-08-07T14:58:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/648878#M7459 <P>Hi&nbsp;<A id="link_20" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300716" target="_self" aria-label="View Profile of jdbst56"><SPAN class="">jdbst56</SPAN></A></P> <P>You can right click on the alert and go to: manage alert option-&gt; exclude alert.</P> <P><SPAN>The agent continues to raise excluded alerts on the endpoint, but they are not saved or displayed in Cortex XDR.</SPAN></P> <P>More information about exclusion:&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Alert-Exclusions" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Alert-Exclusions</A></P> Fri, 22 Nov 2024 08:16:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/behavioral-threat-detected-rule-bioc-sync-critical-termination/m-p/648878#M7459 E.Jafarov 2024-11-22T08:16:39Z