Cortex XDR agent and EICAR malware test file

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR agent and EICAR malware test file

L1 Bithead

Hi team,

 

It feels like I'm missing something and so would appreciate of someone could explain to me why the XDR agent on Windows (latest 8.2.1 with block policy) is not reacting to EICAR malware test file (X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H)? I tried malware scan on the file but the agent reported it clean. I fully realise it's a dummy file but thought XDR still had it in its database for testing purposes.

There's no other AV or EDR solution present on that server, FYI.

 

The malware test PE file that Palo provides works like a charm by the way.

https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analy... 

 

Any insight will be appreciated, thank you.

2 REPLIES 2

L3 Networker

Hello @stig_72

 

Hope you are doing well. And thank you for reaching out to the Live Community. I understand that you are trying to test Cortex XDR with EICAR file, however, please note that Cortex does not detect this file as a malware for legitimate reasons. I do understand that EICAR file is used for testing universally, but the fact that it is a dummy file remains constant. 

If you would like to test Cortex XDR you can use our Malware test file using Wildfire APIs and each time you get a new different malicious hash, which could be used for testing. Please find the link below, thank you: 

 

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-api/get-wildfire-information-through-the-wil...

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

It's all good, I figured as much. I suppose it'd be good to have that referenced somewhere in official Palo Alto resources regarding XDR, so one could easily point their clients to it in case there's questions like that. Cheers.

  • 3808 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!