Cortex XDR has Blocked a Malicious Activity but No Program Listed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR has Blocked a Malicious Activity but No Program Listed

L0 Member

Attached images show the pop-up that is going around our network this morning.  Unlike before where it would list the program Cortex blocks there is nothing there and is pointing at Microsoft for the cause.

 

Is this a false positive?  A windows service is triggering Cortex to block the behavioral threat?

20 REPLIES 20

Has there been any resolution yet? We are experiencing the same...

L2 Linker

@KPaschall   No specific fix other than Palo Alto has confirmed it is a False Positive and they are working on a solution.

 

In the meantime they suggested creating an exception. However, when I created a Global Process Exception using 'smss.exe' as the process, we saw an alert about 7 or 8 minutes later on a remote laptop.     So I am not sure if this exception is properly excluding what it needs to exclude.  As far as I can see in the alerts/incidents in the GUI.. there is no specific named 'process'.   Just the file. So it might be working correctly, but I can't say for sure.

L2 Linker

I also have this information to add from Palo Alto Networks support.... as of 5:30 PM US Eastern Daylight Time

----

- Content Update 510, will provide a fix [in] approximately 1 hour
- Content Update 500, will provide a fix [in] approximately 12 hours

As a workaround please create an alert exception for now reference

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/exception...

To do this,

1. Go to Incident Response > Incidents.
2. Right-click on the Behvaioral Threat Incident then click View Incident.
3. Under Alerts & Insights, look for the Behavior threat alert for the process.
4. Right-click on the alert then click Create alert exception.
5. Select the Exception Scope. You can assign it to a specific profile or set it to Global, then click Add.

Once the fix is out, you can then remove the exception.

---

L2 Linker

One issue, as I mentioned previously, is that the process is not specifically named in the incident as far as I can see.  Only the file name of smss.exe.  So that file name is what I used as a process name.  Unclear if that is working since we did see one more alert 7 or 8 minutes after creating the Process Exception.

L2 Linker

An update from Palo Alto..  content version 510-90618 has been released and should address the issue.

 

-K

Hi All, 

 

The alert for the BTP rule mentioned above has been confirmed to be a false positive, and a fix has been implemented in content update version 510-90618. This content version was release on May 11, 2022  around 10:00 AM EST.  Please ensure that you are enable configured to receive the latest content updates by reviewing the Agent Setting Profile - Content Configuration setting applied to your endpoints. If you experience any additional operational impact, then you may raise a support case to determine next steps. 

  • 18691 Views
  • 20 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!