11-04-2022 03:33 AM
Hi,
A number of our customers has complained about our signed PowerShell scripts being flagged and, in some cases, blocked by Cortex XDR.
The scripts in question can be found here:
https://stream.vulndetect.com/e/task.ps1
https://stream.vulndetect.com/e/functions.ps1
https://stream.vulndetect.com/e/VulnDetectMaintenance.ps1
Other than signing the scripts and asking customers to whitelist our signing certificate (which doesn't seem to suffice), what is the proper cause of actions to help our customers not getting these false positives?
The scripts are used as "wrappers" for running installers to upgrade software installations and doing some maintenance of temporary task folders.
Kind regards,
Tom
SecTeer - https://secteer.com/
VulnDetect - https://vulndetect.org/
11-04-2022 03:53 AM
Hi @VulnDetect ,
These seems to be some scripts which are doing discovery on process actions and hence this is categorised by cortex XDR as a script based attack.
This is a post execution module detection and signer whitelists are not going to work for this. Please ask your customers to create alert exceptions for the same and retrieve the alert data and send it to engineering for investigation and fix. If the engineering declares this as a legit action, they will add the fix in the content updates and once your endpoints get the CU, you can ask to remove the alert exceptions for the same and it should not be blocked.
Hope that answers your question!
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
