Cortex XDR and windows Install folder

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR and windows Install folder

L1 Bithead

Hello, 

we started to have Cortex XDR alerts for *.tmp files, which refer to the C:\Windows\Install folder.

e.g. C:\Windows\Installer\MSI53B1.tmp

Wildfire report says its Malware based probably on the:

 

 
 

 

Attempted to sleep for a long period | Medium
Malware analysis environments have a limited amount of time in which to execute code and deliver a verdict. To subvert this process, malware often delays execution, or "sleeps," for a long period, allowing it to avoid detection.

Created or modified a file in the Windows system folder | Medium
The Windows system folder contains configuration files and executables that control the underlying functions of the system. Malware often modifies the contents of this folder to manipulate the system, establish persistence, and avoid detection.

 

 

Interesting thing is that this folder does not exists on any of reported machines, incl. hidden folders.
Can anyone explain me a little bit more what is the folder \Install for and why we cannot see it?
Does windows cleans after some patch update / bundle update, but this stays in memmory and Cortex Agent is able to dig it out? 


I can report it as an incorrect verdict, but firstly would like to know..

Thank you.
Lukas

 

 

 

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions

L5 Sessionator

@LukasB Mark the incident as Resolved - False Positive since you're aware this is the case. There is no need to exclude any folder from Malware scans as you correctly stated - malicious actors can use temporary directories for staging and short-lived persistence.

Furthermore, XDR Agents will monitor all running processes, raise alerts, perform detection/blocking actions and/or create incidents , whether or not the corresponding files were scanned in disk, and will flag accordingly upon execution.

View solution in original post

3 REPLIES 3

L2 Linker

Hi LukasB,

 

Typically during an application install, it will create tmp file just like what you see, then after the install, it will clean those temp files that's why its gone. During that time of install execution, XDR will do its checking, thats the reason why you see those alerts.

That's exactly what I thought.... what is the best practice? Exclude the folder from malware scan or... ? creating an exception can be potentially dangerous

L5 Sessionator

@LukasB Mark the incident as Resolved - False Positive since you're aware this is the case. There is no need to exclude any folder from Malware scans as you correctly stated - malicious actors can use temporary directories for staging and short-lived persistence.

Furthermore, XDR Agents will monitor all running processes, raise alerts, perform detection/blocking actions and/or create incidents , whether or not the corresponding files were scanned in disk, and will flag accordingly upon execution.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!