We get a lot of false positives from Wildfire where it's reporting custom applications used on a "business as usual" (BAU) basis in our environment. Do you folks know if there are settings from the Wildfire backend that Palo Alto normally adjusts for customers so to decrease the sensitivity of the Wildfire engine where it's not reporting so many false positives?
p.s. pardon me if this sounds like a rookie question.
There are a variety of tuning options within XDR to help reduce False Positives and any adverse impact to normal operations. You can add the sha256 file hash of the application to the allow list located in the Action Center which will allow the applications to execute and therefore override the Wildfire verdict. Within the Malware profile itself you are able to allow PE's and DLL's to run based off of a list of approved signers, or by adding file/folder paths into the allow list for that module. Reference step 3 sub steps 3 and 4 in the documentation linked below for instructions on how to accomplish this.
Unfortunatly Wildfire produces a lot of false positives, we have to unblock and whitelist Cygwin binaries in regular intervals. Of course, I report the incorrect verdict to PA and it is reversed in a short time. But that doesn't help with binaries blocked initally using an incorrect verdict. Apart from adding known hashes to the whitelist, the only workable solution I found out is to exclude known folders from being scanned. Of course, this is not very secure and has it's own issue but it allows our developers to continue with their business
The Wildfire malware team is constantly working to keep up with evolving threats while maintaining a high fidelity rate. The risk of false negatives is generally viewed as more dangerous to an organization than the risk of false positives. Custom applications can at times cause Wildfire (or any sandbox) to flag as malware due to the behavior of the application if it resembles behavior patterns commonly seen in malware. As rare as these false positives may be on a large scale, I understand that it can be frustrating to deal with when they are affecting your organization. For that reason Cortex XDR offers a variety of ways to handle these. If handling these individually by either submitting Verdict Change Requests or adding to a sha256 hash allow list is not feasible or desirable, consider adding the digital signature of your organizations custom applications to the malware profiles allow list, that way any application that is signed by your organization will not be prevented from running by Wildfire.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!