03-07-2022 11:15 PM
Hello Palo Community,
does anybody know why the Apple SoftwareUpdate.exe got blocked by Cortex XDR today
Or has someone else also encountered this Problem?
In the Community section of VirusTotal I discoverd a comment that Palo Alto apperently changed the status at one point, yet i have some triggers with this software that came in today.
Thank you in advance,
ReisinM
03-08-2022 05:08 PM
Hi @ReisingerM and @AZelle thank you for confirming. The issue has been resolved now.
@MartinPfeil I understand the problems you faced and added the files to the global Allow List as a tactical measure. I'd suggest you can remove them now from the Allow List to prevent it from expanding with time and make it difficult to manage. Allow Lists and Block Lists are short-term measures and should ideally be avoided as a long-term solution.
03-07-2022 11:27 PM
Hi,
yes, I can confirm. This happend yesterday on several hundred machines. But not only SoftwareUpdater.exe was affected, some other obviously clean tools, also.
The verdicts were already changed to benign yesterday in the evening.
Strange behavior which makes me a little nervous. Could happen to critical programs, too.
BR
Andreas
03-08-2022 01:32 AM - edited 03-08-2022 01:33 AM
Hi @ReisingerM and @AZelle this might be due to a potential issue with Wildfire verdicts within the last 24 hrs, which have been re-analyzed and re-categorized appropriately. Can you cross-check and validate if most of those alert types are Detection (Post Detected) or Prevention (Post Detected)?
03-08-2022 01:36 AM
Hello @bbarmanroy indeed all alerts concerning this problem are Detection (Post Detected).
03-08-2022 01:45 AM
I also Posted this in General Topics to see if someone ther was able to confirme my suspicion and i got answere there https://live.paloaltonetworks.com/t5/general-topics/apple-softwareupdate-exe-got-blocked-by-cortex-x...
03-08-2022 01:52 AM
It is benign software, initally identified as malware.
Same thing happend in the last two days for other software updates, like for Epson and HP:
Initially identified as malicious but then the verdict was reversed a few hours later.
Files had to be released manually and hashes had to be added by hand to the whitelist
03-08-2022 05:08 PM
Hi @ReisingerM and @AZelle thank you for confirming. The issue has been resolved now.
@MartinPfeil I understand the problems you faced and added the files to the global Allow List as a tactical measure. I'd suggest you can remove them now from the Allow List to prevent it from expanding with time and make it difficult to manage. Allow Lists and Block Lists are short-term measures and should ideally be avoided as a long-term solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
