02-16-2022 06:48 AM
Hello,
we started to have Cortex XDR alerts for *.tmp files, which refer to the C:\Windows\Install folder.
e.g. C:\Windows\Installer\MSI53B1.tmp
Wildfire report says its Malware based probably on the:
Attempted to sleep for a long period | Medium
Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection.
Created or modified a file in the Windows system folder | Medium
The Windows system folder contains configuration files and executables that control the underlying functions of the system. Malware often modifies the contents of this folder to manipulate the system, establish persistence, and avoid detection.
Interesting thing is that this folder does not exists on any of reported machines, incl. hidden folders.
Can anyone explain me a little bit more what is the folder \Install for and why we cannot see it?
Does windows cleans after some patch update / bundle update, but this stays in memmory and Cortex Agent is able to dig it out?
I can report it as an incorrect verdict, but firstly would like to know..
Thank you.
Lukas
Thank you.
02-17-2022 06:14 PM
@LukasB Mark the incident as Resolved - False Positive since you're aware this is the case. There is no need to exclude any folder from Malware scans as you correctly stated - malicious actors can use temporary directories for staging and short-lived persistence.
Furthermore, XDR Agents will monitor all running processes, raise alerts, perform detection/blocking actions and/or create incidents , whether or not the corresponding files were scanned in disk, and will flag accordingly upon execution.
02-16-2022 08:35 AM
Hi LukasB,
Typically during an application install, it will create tmp file just like what you see, then after the install, it will clean those temp files that's why its gone. During that time of install execution, XDR will do its checking, thats the reason why you see those alerts.
02-17-2022 01:00 AM
That's exactly what I thought.... what is the best practice? Exclude the folder from malware scan or... ? creating an exception can be potentially dangerous
02-17-2022 06:14 PM
@LukasB Mark the incident as Resolved - False Positive since you're aware this is the case. There is no need to exclude any folder from Malware scans as you correctly stated - malicious actors can use temporary directories for staging and short-lived persistence.
Furthermore, XDR Agents will monitor all running processes, raise alerts, perform detection/blocking actions and/or create incidents , whether or not the corresponding files were scanned in disk, and will flag accordingly upon execution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
