05-10-2022 10:08 AM
Attached images show the pop-up that is going around our network this morning. Unlike before where it would list the program Cortex blocks there is nothing there and is pointing at Microsoft for the cause.
Is this a false positive? A windows service is triggering Cortex to block the behavioral threat?
05-10-2022 02:23 PM
Has there been any resolution yet? We are experiencing the same...
05-10-2022 02:36 PM
@KPaschall No specific fix other than Palo Alto has confirmed it is a False Positive and they are working on a solution.
In the meantime they suggested creating an exception. However, when I created a Global Process Exception using 'smss.exe' as the process, we saw an alert about 7 or 8 minutes later on a remote laptop. So I am not sure if this exception is properly excluding what it needs to exclude. As far as I can see in the alerts/incidents in the GUI.. there is no specific named 'process'. Just the file. So it might be working correctly, but I can't say for sure.
05-10-2022 02:41 PM
I also have this information to add from Palo Alto Networks support.... as of 5:30 PM US Eastern Daylight Time
----
- Content Update 510, will provide a fix [in] approximately 1 hour
- Content Update 500, will provide a fix [in] approximately 12 hours
As a workaround please create an alert exception for now reference
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/exception...
To do this,
1. Go to Incident Response > Incidents.
2. Right-click on the Behvaioral Threat Incident then click View Incident.
3. Under Alerts & Insights, look for the Behavior threat alert for the process.
4. Right-click on the alert then click Create alert exception.
5. Select the Exception Scope. You can assign it to a specific profile or set it to Global, then click Add.
Once the fix is out, you can then remove the exception.
---
05-10-2022 02:47 PM
One issue, as I mentioned previously, is that the process is not specifically named in the incident as far as I can see. Only the file name of smss.exe. So that file name is what I used as a process name. Unclear if that is working since we did see one more alert 7 or 8 minutes after creating the Process Exception.
05-11-2022 07:34 AM
An update from Palo Alto.. content version 510-90618 has been released and should address the issue.
-K
05-12-2022 06:50 AM
Hi All,
The alert for the BTP rule mentioned above has been confirmed to be a false positive, and a fix has been implemented in content update version 510-90618. This content version was release on May 11, 2022 around 10:00 AM EST. Please ensure that you are enable configured to receive the latest content updates by reviewing the Agent Setting Profile - Content Configuration setting applied to your endpoints. If you experience any additional operational impact, then you may raise a support case to determine next steps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
