06-23-2024 09:47 PM
We recently encountered an issue where a user's computer got infected with a USB virus after inserting a USB drive. The virus uses USB Driver.exe to create some directories and malicious programs as shown in the attached image. Additionally, it uses vmnet.exe to load these DLL files. However, Cortex XDR did not block it.
We have already enabled the blocking rules in the Malware settings, but it did not take effect. We also created BIOC rules using the hashes of these files and configured it to block these DLL files when they are loaded [under Restrictions >> Custom Prevention Rules (we have enabled and applied these BIOC rules)], but this method still did not block them.
However, when using another computer without Cortex XDR installed, Windows Defender was able to block this behavior. Is there any other method to make Cortex XDR block this behavior?
IOC Sha256
f985ac059ee73509750b7558e7482d69e37db280b484d1c728efcd49bf6f58a7
fd2a17e747fac2b5fcba3ea714a811baaa83f5c47625579c32b969c574c5ef24
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
986ea546af34333c4b50e64a8b8712aa7643bb74aed8c48c789abcd51972dfaf
06-26-2024 07:15 AM
Hello @kentwuhc
Thanks for reaching out on LiveCommunity. Since this requires investigation of activity to find the root cause please open a support case. Support team will be able to help you with blocking of this malware.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
