https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-whoami/m-p/596741#M5770 <P>Hello,</P> <P>&nbsp;</P> <P>I am seeing a weird activity from globalprotect agents where the agent is trying to execute wa3_3rd_party_host.32.exe</P> <P>and the agent after that is executing whoami command.</P> <P>&nbsp;</P> <P>PS: the HIP policy is disabled on the firewall</P> Wed, 04 Sep 2024 11:37:25 GMT BARaha 2024-09-04T11:37:25Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-whoami/m-p/596741#M5770 <P>Hello,</P> <P>&nbsp;</P> <P>I am seeing a weird activity from globalprotect agents where the agent is trying to execute wa3_3rd_party_host.32.exe</P> <P>and the agent after that is executing whoami command.</P> <P>&nbsp;</P> <P>PS: the HIP policy is disabled on the firewall</P> Wed, 04 Sep 2024 11:37:25 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-whoami/m-p/596741#M5770 BARaha 2024-09-04T11:37:25Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-whoami/m-p/597449#M5802 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/87335">@BARaha</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>wa3_3rd_party_host.32.exe is definitely not a standard or commonly recognized executable associated with GlobalProtect. I would recommend to take a look at the host and determine what the .exe is used for and run a scan. In the mean time, monitor the connections made on that particular host through the monitor traffic as well.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Btw, which panos version are you running on your firewall ?</SPAN></P> Wed, 11 Sep 2024 00:44:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-whoami/m-p/597449#M5802 JayGolf 2024-09-11T00:44:12Z