Cortex does not block Windows binaries

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex does not block Windows binaries

L2 Linker

To mitigate cve-2022-30190 i wanted to add the file hashes of the msdt.exe binary to the blocklist; but with no effect until now.
The hashes occure in the logfile of the agent below hashcontrol as enabled, but verdict has a value "0".
Is it possible, that windows binaries are excluded from blocking by default?
i decided to block the binary for mitigation, because it's a minimal-invasiv approach, which can be reverted quickly if the issue is patched.

2 REPLIES 2

L0 Member

Te sugiero sigas los siguientes pasos publicados por Microsoft hasta que tengas una respuesta por parted e Cortex Palo Alto.

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-... 

L2 Linker

Hello,

as Luc mentioned here (https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cve-2022-30190-microsoft-support-diagnos... ) the use of custom prevention rules  with the BIOC works lika a charm here.

So, this will be my solution until PA or Microsoft deliver a proper one. (Which, for PA, might be a BIOC, too 😉 )

  • 2468 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!