11-11-2021 09:38 PM
We have observed that cortex XDR always blocks the code written in microsoft visual studio. General codes in C language like Hello world and addtion of two numbers is also geeting blocked in local analysis and it takes a lot of time to get verdict from wildfire to allow it. Usually whenever developer is running in debug mode this issue is faced and in debug they need to frequently change codes and debug it. When i discussed with one of palo alto support techinicial he suggested to whitelist the workspace folders or add signature and allow it which is not feasible solution as workspace paths keep changing per systems and users. Similar issue we observred for python codes also and after wildfire check that code shows as malware (false positive as many time when we report it as incorrect verdict gets changed).
Is there anyone who also faces same issue and found solution on this please help on this.
Thanks in advance.
Cortex XDR
11-12-2021 06:49 AM - edited 11-12-2021 06:50 AM
Hi Tejasp04,
I see here several things to do.
Hint: From key artifacts of the incident/alert open the WF report and on the upper right corner you can click to report the incorrect WF verdict.
I hope this helps
Good weekend,
Luis
11-22-2021 10:08 PM
Hi Eluis,
Thanks for your reponse.
I've checked above documents/article for exception profile and signer exception. But unfortunetly it didnt worked in my organization. As developer are creating exe by compiling the codes and running those directly, so signatures they are not addin g there and not required in there projects. For local analysis exception as checked visual code application is running/compiling that codes and geneating exe with powershell.exe process and creating exception for powershell.exe is not recommended in our org as it might lead to any other threat execution.
Very strange behaviour of XDR i observed when 1 developer was compiling and running code through visual code application. same code was generating diff hash valued exe every time so xdr was taking long time for analysis and it was in evaluation status for every time. So there are such case where user is frequenlty creating and running exe's and it not feasible every time to ask wildfire to recheck verdicts.
Is there anything which we can check more on this or creating exceptions is only way to resolve these issues.
Thanks in advance 😀
11-22-2021 11:59 PM
Hi Tejasp04,
in this case I could recommend opening a support ticket. It might be that you need a support exception for your specific scenario.
At this point I believe this is the best option, this should solve your issue.
KR,
Luis
08-24-2022 07:25 AM
Hi Teja,
Have u found any way for this , we are also facing the same issue
08-24-2022 08:56 PM
Hi Anil,
Discussed same with support team multiple times and they are only suggesting to add exception rules in profile for affected user.
Adding Exceptipon profile worked in our case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
