This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Behavioral threat detected (rule: bioc.sync.critical_termination) Triggered By Known Good Files

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Behavioral threat detected (rule: bioc.sync.critical_termination) Triggered By Known Good Files

jdbst56
L1 Bithead

‎08-06-2024 10:26 AM

Over the past two weeks we have been seeing detections/blocks from the following rule "Behavioral threat detected (rule: bioc.sync.critical_termination)" for known good files 7z2301-x64.exe (7-zip install) and PhotosService.exe (part of built-in Windows Photos app).  We only see the detections on a few systems, many systems have these same files without any detections.  VirusTotal shows both files as clean and WildFire indicates they are benign.  What is causing these detections to keep recurring for Behavioral threat detected (rule: bioc.sync.critical_termination) for these files only on certain systems?

 

We have a case open since early last week but have not made any progress on this issue so I thought I would post here.

0 Likes Likes
3 REPLIES 3

Fm12345
L2 Linker

‎08-07-2024 12:03 AM

While the case is analyzed and If it's a false positive then you can right click on the alert and add alert exception.. select the files based on which you want to add exception. 

 

This would make sure that alert is not triggered again on those files by that specific rule.

 

You can later review your exception based on the case feedback 

0 Likes Likes

jdbst56
L1 Bithead
In response to Fm12345

‎08-07-2024 07:58 AM

Hi, I've added an alert exception for the detected file (PhotosService.exe) but Behavioral threat detected (rule: bioc.sync.critical_termination) is still being triggered when I try to launch the Photos app.

0 Likes Likes

E.Jafarov
L2 Linker
In response to jdbst56

‎11-22-2024 12:15 AM - edited ‎11-22-2024 12:16 AM

Hi jdbst56

You can right click on the alert and go to: manage alert option-> exclude alert.

The agent continues to raise excluded alerts on the endpoint, but they are not saved or displayed in Cortex XDR.

More information about exclusion: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Alert-Exclu...

SmartIT
Preview file
35 KB
0 Likes Likes
  • 524 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks