Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-25-2022 10:53 PM
Hello everybody,
in the night from yesterday to today Cortex XDR disabled and quarantined TeamViewer (tv_x64.exe to be more specific) on a lot of our devices. We are using TeamViewer to offer support to our external offices. Does anybody else have this problem or might know why this got triggerd all of a sudden.
Thank you in advance,
ReisingerM
08-25-2022 11:28 PM
Hi @ReisingerM
Are you able to see which component of XDR agent is blocking file?
The immediate workaround is, if the blocked file is trusted one, you can create exclusion for it to prevent from being blocked.
Refer below article for same.
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...
Aside to above, if the wildfire module is the one blocking the file here, you can also request a verdict review for a sample as per this documentation here under "Report an incorrect verdict to Palo Alto Networks":
You could also create file level exclusions in Malware profile policy. This will help to exclude the file even when the file hash changed as part of its software updates.
Refer STEP 3 in link : https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...
I hope that helps to address your problem here.
However you can still log a case with support to get more help.
08-25-2022 11:28 PM
Hi @ReisingerM
Are you able to see which component of XDR agent is blocking file?
The immediate workaround is, if the blocked file is trusted one, you can create exclusion for it to prevent from being blocked.
Refer below article for same.
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...
Aside to above, if the wildfire module is the one blocking the file here, you can also request a verdict review for a sample as per this documentation here under "Report an incorrect verdict to Palo Alto Networks":
You could also create file level exclusions in Malware profile policy. This will help to exclude the file even when the file hash changed as part of its software updates.
Refer STEP 3 in link : https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...
I hope that helps to address your problem here.
However you can still log a case with support to get more help.
08-25-2022 11:39 PM
Hello Creddy,
thank you for your fast answer. It did get blocked by the Wildfire module but the way i see it PaloAlto already adressed this issue since the WildFire Verdict changed back to bening.
Thank you for your help.
08-26-2022 12:08 AM
Hi @creddy
Even we too facing this issue.
Alert name: Wildfire malware
Category: Malware
Module: WildFire post detection
Files are identified as malware, only to be analyzed in WildFire and come back as benign, these files remain as verdict "Malware". Is it possible to explain "wildfire post detection" module logic ?
Thanks
08-26-2022 01:02 AM - edited 08-26-2022 01:03 AM
Hi @MithunKT
I hope this detection issue already resolved at your side.
To cross check, you can try to re execute the program again. Agent should not throw alerts any more for this particular file.
However If you are still getting issues, perform Agent checkin or wait for 5 min at least to allow the agent to perform heartbeat with servers to fetch new policies. This should ideally solve the problem here.
Aside to above, this kind of post detection will happen in some rare cases.
If you need any more information on this matter, I believe it will be good to log a support case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
