Can Wildfire/Cortex XDR be Tweaked From Backend

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can Wildfire/Cortex XDR be Tweaked From Backend

L1 Bithead

Hi guys,

We get a lot of false positives from Wildfire where it's reporting custom applications used on a "business as usual" (BAU) basis in our environment.  Do you folks know if there are settings from the Wildfire backend that Palo Alto normally adjusts for customers so to decrease the sensitivity of the Wildfire engine where it's not reporting so many false positives?

 

p.s. pardon me if this sounds like a rookie question.

6 REPLIES 6

L3 Networker

Hi  Chukaokonkwo,

 

There are a variety of tuning options within XDR to help reduce False Positives and any adverse impact to normal operations. You can add the sha256 file hash of the application to the allow list located in the Action Center which will allow the applications to execute and therefore override the Wildfire verdict. Within the Malware profile itself you are able to allow PE's and DLL's to run based off of a list of approved signers, or by adding file/folder paths into the allow list for that module. Reference step 3 sub steps 3 and 4 in the documentation linked below for instructions on how to accomplish this.


https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...

 

Best Regards,

Ben

L5 Sessionator

Hi @chukaokonkwo to add on to what @bbucao suggested for tactical fixes, you should also raise a Verdict Change Request within Cortex XDR console or raise a Support ticket with the hash/sample for a systemic fix. The Wildfire verdicts should reflect the nature of the applications being run. 

L2 Linker

Unfortunatly Wildfire produces a lot of false positives, we have to unblock and whitelist Cygwin binaries in regular intervals. Of course,  I report the incorrect verdict to PA and it is reversed in a short time. But that doesn't help with binaries blocked initally using an incorrect verdict. Apart from adding known hashes to the whitelist, the only workable solution I found out is to exclude known folders from being scanned. Of course, this is not very secure and has it's own issue but it allows our developers to continue with their business

L1 Bithead

Wow, so this high rate of false positives cannot be tweaked from the Palo Alto side of the house huh?? ...you're literally limited to having to create exceptions for the legitimate hashes one-at-a-time?

L3 Networker

Hi Chukaokonkwo,

 

The Wildfire malware team is constantly working to keep up with evolving threats while maintaining a high fidelity rate. The risk of false negatives is generally viewed as more dangerous to an organization than the risk of false positives. Custom applications can at times cause Wildfire (or any sandbox) to flag as malware due to the behavior of the application if it resembles behavior patterns commonly seen in malware. As rare as these false positives may be on a large scale, I understand that it can be frustrating to deal with when they are affecting your organization. For that reason Cortex XDR offers a variety of ways to handle these. If handling these individually by either submitting Verdict Change Requests or adding to a sha256 hash allow list is not feasible or desirable, consider adding the digital signature of your organizations custom applications to the malware profiles allow list, that way any application that is signed by your organization will not be prevented from running by Wildfire.

 

Best Regards,

Ben

Yep we currently have over 2100 "Allowed" hashes (growing 300+ a month) and had to drag our dev team kicking and screaming to sign every tiny little application across the entire environment. And still get about 700 LC alerts a week. 

  • 3019 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!