Can Wildfire/Cortex XDR be Tweaked From Backend

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can Wildfire/Cortex XDR be Tweaked From Backend

L1 Bithead

Hi guys,

We get a lot of false positives from Wildfire where it's reporting custom applications used on a "business as usual" (BAU) basis in our environment.  Do you folks know if there are settings from the Wildfire backend that Palo Alto normally adjusts for customers so to decrease the sensitivity of the Wildfire engine where it's not reporting so many false positives?

 

p.s. pardon me if this sounds like a rookie question.

6 REPLIES 6

L3 Networker

Hi  Chukaokonkwo,

 

There are a variety of tuning options within XDR to help reduce False Positives and any adverse impact to normal operations. You can add the sha256 file hash of the application to the allow list located in the Action Center which will allow the applications to execute and therefore override the Wildfire verdict. Within the Malware profile itself you are able to allow PE's and DLL's to run based off of a list of approved signers, or by adding file/folder paths into the allow list for that module. Reference step 3 sub steps 3 and 4 in the documentation linked below for instructions on how to accomplish this.


https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...

 

Best Regards,

Ben

L5 Sessionator

Hi @chukaokonkwo to add on to what @bbucao suggested for tactical fixes, you should also raise a Verdict Change Request within Cortex XDR console or raise a Support ticket with the hash/sample for a systemic fix. The Wildfire verdicts should reflect the nature of the applications being run. 

L1 Bithead

Unfortunatly Wildfire produces a lot of false positives, we have to unblock and whitelist Cygwin binaries in regular intervals. Of course,  I report the incorrect verdict to PA and it is reversed in a short time. But that doesn't help with binaries blocked initally using an incorrect verdict. Apart from adding known hashes to the whitelist, the only workable solution I found out is to exclude known folders from being scanned. Of course, this is not very secure and has it's own issue but it allows our developers to continue with their business

L1 Bithead

Wow, so this high rate of false positives cannot be tweaked from the Palo Alto side of the house huh?? ...you're literally limited to having to create exceptions for the legitimate hashes one-at-a-time?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!