I have a user whose agent generated a significant number of local malware alerts.
However, all of those alerts are generated on legit things like ms teams, vs code, iwconfig etc.
Morever, It's only on this user - those alerts dont pop up on the other few linux users we have.
My questions are this:
-Is there anyway to teach the xdr those are fp?
-Is there any way to check from the xdr itself that those programs are legit? apart from virustotal that is
Ive realized that this question of yours was not answered yet. I apologize about it in name of all of us and will try to answer.
When you have a false positive detection you can do several things in this cases "generally speaking":
1- add the hash to allow list
2- add the signer as a trusted signer
3- create a support exception
In your case and due to the description you have given that just one endpoint user is experiencing this, I might recommend to reinstall the agent in that endpoint or create a support ticket.
About how to check if a process/file is malware you can use WildFire from Palo Alto (similar to virustotal).
If within the incients and alerts you go to the key assets and artifacts you should be able to see there the verdict from WildFire (WF) that can be malware or benign... also you should be able to see there some Unit42 blue links that when clicked on will give you more info about the artifact.
I hope I helped to bring some light to your issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!