12-31-2021 12:45 PM
We use an on-site vulnerability scanner that started triggering behavioral alerts on Cortex endpoints on Monday. These scans were disabled since they were very disruptive with some endpoints just reporting the issue and others blocking the scan. All endpoints received the pop-up alerting them to danger. These scans have been running since before we adopted Cortex and I am going to guess that an update from the scanning vendor added a detection for something new that triggers this alert since Palo updates come out on Wednesday. The behavior alert references "heuristic.b.205", but I am not sure where you find out more info about what that means. I can see the IP address in the alert that shows what system (i.e. the vulnerability scanner) initiated the string of events that triggered the alert.
I reviewed the documentation and see where you can add an exception for a behavioral alert. I can see on the console where I could add the initiator to the allow list. But I don't think I want to do this since this these Microsoft binaries could be used for dangerous activities. Instead I would want to allow this activity only when initiated by this IP address. Going one step further I think we may just need to setup Cortex so we do not block activities from this specific IP address. I do not see any info in the documentation or this forum on how you might have an allow list that applies to an IP address. Any suggestions?
01-03-2022 10:13 AM
Content Update version 320-79444 seems to fix this False-Positive alert.
12-31-2021 12:54 PM
As luck would have it I cannot duplicate the issue now that I am back in town on test systems. I did add the IP address to the malware profile under "Respond to Malicious Causality Chains", but I am not sure if this will resolve this issue. The Action Center does not show the IP address of the security scanner as being blocked, but I don't know if that resets after some period of time.
Respond to Malicious Causality Chains
01-03-2022 01:33 AM
Hi @EddieRowe
heuristic.b.205 - POWERSHELL DOWNLOAD CRADLES.
What do you mean by " Instead I would want to allow this activity only when initiated by this IP address"? Do you want to allow/block this BTP from a specific group of endpoints?
01-03-2022 10:13 AM
Content Update version 320-79444 seems to fix this False-Positive alert.
01-07-2022 01:16 PM
I was looking for a way to exclude behavior protection from the IP address that is used by the scanner.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
