Cortex XDR: False Positive detection of VulnDetect scripts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR: False Positive detection of VulnDetect scripts

L0 Member

Hi,

 

A number of our customers has complained about our signed PowerShell scripts being flagged and, in some cases, blocked by Cortex XDR.

 

The scripts in question can be found here:

https://stream.vulndetect.com/e/task.ps1

https://stream.vulndetect.com/e/functions.ps1

https://stream.vulndetect.com/e/VulnDetectMaintenance.ps1

 

Other than signing the scripts and asking customers to whitelist our signing certificate (which doesn't seem to suffice), what is the proper cause of actions to help our customers not getting these false positives?

 

The scripts are used as "wrappers" for running installers to upgrade software installations and doing some maintenance of temporary task folders.

 

Kind regards,

 

Tom

SecTeer - https://secteer.com/

VulnDetect - https://vulndetect.org/

1 REPLY 1

L5 Sessionator

Hi @VulnDetect ,

 

These seems to be some scripts which are doing discovery on process actions and hence this is categorised by cortex XDR as a script based attack.

This is a post execution module detection and signer whitelists are not going to work for this. Please ask your customers to create alert exceptions for the same and retrieve the alert data and send it to engineering for investigation and fix. If the engineering declares this as a legit action, they will add the fix in the content updates and once your endpoints get the CU, you can ask to remove the alert exceptions for the same and it should not be blocked. 

 

Hope that answers your question!

 

Regards

  • 1339 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!