topic Re: What does it mean Prevented(Blocked) by the Agent XDR? in Cortex XDR Discussions

What does it mean Prevented(Blocked) by the Agent XDR?

david.hernandez — Fri, 20 Aug 2021 05:41:07 GMT

Hi all,

What does the Prevented (Blocked) action of the XDR agent mean? Does the user receive/see any notification?

And, how do I prevent the XDR agent from blocking that key artifact?

Thank you,

David.

Re: What does it mean Prevented(Blocked) by the Agent XDR?

sramesh-7 — Fri, 20 Aug 2021 09:45:05 GMT

Hi,

Based on the policy XDR agent blocks any file which has a verdict as Malware, When the file is blocked user should receive a message from XDR agent pop up window and the same will be reported as alert in XDR Console. You can disable blocking of a file with malware verdict by adding it to allow list or you can also set policies to stop blocking files in a location or type/extension etc based on your requirement - check out this link for allow list

Re: What does it mean Prevented(Blocked) by the Agent XDR?

david.hernandez — Fri, 20 Aug 2021 10:25:55 GMT

Hi Sramesh-7,

Thank you for your quick response.

I added the file to the allow List, which it comes from WildFire Malware.

Some days later, I get a new incident only involved with this Key artifact but from Local Analysis Malware (although the key artifact is in the allow list).
The threat intelligence catalog it as malware.

Is that the behaviour expected? What can I do?

Thank you,

David.

Re: What does it mean Prevented(Blocked) by the Agent XDR?

WSeldenIII — Fri, 20 Aug 2021 14:57:58 GMT

Hi @david.hernandez XDR offers a multi-layer approach to secure your environment, so it is important to understand the file analysis and protection flow (E.g. Phase 3: Hash Verdict Determination). Additional considerations are to review WildFire analysis details, and if you know the WildFire is incorrect, then you can report an incorrect verdict to Palo Alto Networks to request a verdict change.