topic Question around unsigned binaries and Cortex XDR agent detections in Cortex XDR Discussions

Question around unsigned binaries and Cortex XDR agent detections

Luc_Desaulniers — Mon, 31 Mar 2025 19:23:24 GMT

Hi folks,

I've been administering Cortex XDR pro for a few years now and just lately in the last 3-4 months we've noticed that unsigned binaries that just got created(usually some of our internal developers testing builds) aren't automatically blocked by the XDR agent anymore.

It was under my impression that Cortex XDR pro was preventing execution of newly created binaries when they aren't signed. At least we used to have a lot of requests back in the day when people were trying to execute their apps that they had just compiled into an unsigned executable. Those used to be detected and blocked at the agent level. We would usually recommend that the developer to sign it's executable and worst case we would add to the allow list the hash of the executable until the file got signed.

Just to give you folks an idea, we took one of those executables that got blocked back in Jan 2025 at the XDR agent level. We recompiled it to make sure the hash changed so that wildfire verdict doesn't come into play. And today it isn't blocked anymore, same code except one extra space in a comment, still unsigned newly created binary.

Can anyone confirm if they've noticed that behavior change lately within the product?

Thanks

Re: Question around unsigned binaries and Cortex XDR agent detections

aspatil — Wed, 02 Apr 2025 06:28:28 GMT

Hello @Luc_Desaulniers ,

Thank you for bringing this matter to our attention. We understand your concerns regarding the recent behavior of the Cortex XDR agent in handling unsigned binaries, especially in light of your past experiences.

To ensure optimal protection and functionality, we recommend the following steps:

Verify Agent Version: Confirm that all endpoints are running the latest version of the Cortex XDR agent. Upgrading to the most recent release ensures that all known vulnerabilities are patched and that you benefit from the latest security enhancements.
Review Prevention Policies: Examine your existing Malware and Restrictions profiles within the Cortex XDR console. Ensure that the policies governing the execution of unsigned binaries align with your organization's security requirements. Adjustments might be necessary to balance security with operational needs.
Implement Custom Prevention Rules: If specific behaviors are desired, such as blocking all newly created unsigned binaries, consider creating Custom Prevention Rules or Behavioral Indicators of Compromise (BIOCs). These tools allow for tailored security measures that can address unique organizational scenarios.
Consult Documentation and Support: Familiarize yourself with the latest release notes and documentation to understand any changes in default behaviors or new features. If uncertainties persist, reaching out to Palo Alto Networks support can provide clarity and assistance tailored to your environment.

We acknowledge that changes in security product behavior can impact operational workflows. Our goal is to ensure that Cortex XDR provides robust protection while accommodating the specific needs of your organization. Please feel free to share any further observations or questions, and we'll be glad to assist you in optimizing your security posture.

Re: Question around unsigned binaries and Cortex XDR agent detections

Luc_Desaulniers — Wed, 02 Apr 2025 16:47:54 GMT

Hi @aspatil can you confirm if there was a change at the detection level of the agent which caused this behavior change?