Cortex XDR multiple local malware analysis alerts on seemingly legit programs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR multiple local malware analysis alerts on seemingly legit programs

L2 Linker

Hi all,

I have a user whose agent generated a significant number of local malware alerts.

However, all of those alerts are generated on legit things like ms teams, vs code, iwconfig etc.

Morever, It's only on this user - those alerts dont pop up on the other few linux users we have.

My questions are this:

-Is there anyway to teach the xdr those are fp?

-Is there any way to check from the xdr itself that those programs are legit? apart from virustotal that is

2 REPLIES 2

L2 Linker

I should add that the user is using ubuntu 21.10 and that the xdr shows that the files are unsigned(signature n/a) in the incident "key assets & artifacts" view

L4 Transporter

Hi Daniel, 

Ive realized that this question of yours was not answered yet. I apologize about it in name of all of us and will try to answer.

When you have a false positive detection you can do several things in this cases "generally speaking": 

1- add the hash to allow list

2- add the signer as a trusted signer

3- create a support exception 

 

In your case and due to the description you have given that just one endpoint user is experiencing this, I might recommend to reinstall the agent in that endpoint or create a support ticket. 

About how to check if a process/file is malware you can use WildFire from Palo Alto (similar to virustotal). 

If within the incients and alerts you go to the key assets and artifacts you should be able to see there the verdict from WildFire (WF) that can be malware or benign... also you should be able to see there some Unit42 blue links that when clicked on will give you more info about the artifact. 

I hope I helped to bring some light to your issue.

KR, 

Luis 

 

  • 3013 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!