Inconsistent AnyDesk Detection in Cortex XDR

M.Erkenci — Sat, 21 Mar 2026 21:48:43 GMT

Hi everyone,

I'm observing inconsistent detection behavior in Cortex XDR during weekly on-demand scans related to the AnyDesk application.

On some endpoints, AnyDesk is detected as "Suspicious executable detected", while on others no alert is generated, even though the application is present.

One common pattern we observed is that the alerts are triggered when AnyDesk is executed from the following path:
C:\Users\user123\Downloads\AnyDesk.exe

Additionally, the file hash appears to be the same across both detected and non-detected endpoints.

Why is this detection triggered on some machines while not triggered on others?

Re: Inconsistent AnyDesk Detection in Cortex XDR

susekar — Mon, 23 Mar 2026 14:21:46 GMT

Hello @M.Erkenci ,

Greetings for the day.

Inconsistent detection behavior for the AnyDesk application during on-demand or periodic scans—especially when the file hash is identical across endpoints—is usually caused by differences in policy, verdict handling, or alert visibility rather than the file itself.

Potential Causes for Inconsistent Detection

1. Malware Security Profile Settings (Local Analysis)

If the WildFire verdict for the AnyDesk hash is “Unknown” or “Benign – Low Confidence”, the Cortex XDR agent may rely on Local Analysis.

If “Run Local Analysis” is enabled, endpoints can evaluate the file differently based on:
- Local engine state
- Cached intelligence
Result: One machine flags it as suspicious, another does not.

2. “Treat Grayware as Malware” Setting

AnyDesk is often classified as grayware / PUA (Potentially Unwanted Application).

If “Treat Grayware as Malware” is:
- Enabled → alerts like “Suspicious executable detected”
- Disabled → no alert

Differences in this setting across profiles will directly cause inconsistent detections.

3. Regional WildFire Verdict Differences

Cortex XDR uses regional WildFire verdicts.

The same file hash may be:
- Malicious/Suspicious in one region
- Benign/Unknown in another

This can lead to different detection outcomes across geographically distributed endpoints.

4. Alert Exclusions

Detection may still occur, but alerts can be hidden.

If an Alert Exclusion exists for:
- The AnyDesk file/path, or
- The “Detected (Scanned)” action
  → The alert is suppressed in the console.

5. Digital Signer Restrictions

Executables can be flagged based on signer trust.

If AnyDesk’s signer is:
- Not trusted
- Explicitly restricted
  → The file may be marked as suspicious on some endpoints.

6. Path Sensitivity (Downloads / Temp)

Files executed from higher-risk directories are more likely to be flagged.

Examples:

C:\Users\<user>\Downloads
Temp directories

Same file in:

Downloads → more likely flagged
Program Files → less likely flagged

Recommended Troubleshooting Steps

1. Check WildFire Verdict

Search the SHA256 hash in Cortex XDR
Confirm:
- Verdict (Malicious / Suspicious / Unknown / Benign)
- Confidence level

2. Compare Malware Security Profiles

Review profiles assigned to affected vs. unaffected endpoints:

On-demand scan settings
Periodic scan configuration
Local Analysis behavior for:
- Unknown files
- Low-confidence benign files
Treat Grayware as Malware setting

3. Review Alert Exclusions

Navigate to:

Settings → Configuration → Exception Configurations → Alert Exclusions

Check for rules affecting:

AnyDesk filename or path
“Detected (Scanned)” alerts

4. Verify Digital Signer Handling

Inspect alert details
If triggered by signer restriction:
- Add the AnyDesk signer to Trusted Signers in the Malware Profile (if appropriate)

5. Examine Agent Logs

If inconsistency persists:

Collect a Tech Support File (TSF)
Review trapsd.log for:
- Verdict codes (e.g., unknown verdicts)
- Connectivity issues preventing verdict updates.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Inconsistent AnyDesk Detection in Cortex XDR in Cortex XDR Discussions