06-08-2022 08:57 PM
Hi ,
Why Cortex XDR is not detecting malicious files which are present in system.
for testing purpose I have downloaded a test malware also but it is not reflected after the malware scan.Can anyone please give clarity on this.
Does Cortex detects malicious files only when they are executed ?
Does Cortex XDR don't detect files which are not executed and simply lied down in the system ? In case if we want know the unexecuted Malicious files and get the alert for the same, do we need to add any other features/licenses ?
06-23-2022 03:17 PM
Hi @Anil_Racharla,
1. Cortex XDR’s default malware policy rules utilize both pre-execution and post-execution malware protection. WildFire is used for pre-execution and executes several checks:
WF static analysis
Machine learning
Dynamic analysis
Bare metal
The file will go to Local Analysis if there is no verdict to be found with WF. Cortex XDR post-execution malware prevention includes: behavior threat protection, anti-ransomware, password theft protection, and child process protection.
2. Cortex XDR malware scans check for dormant malware and differs from the protection leveraged during the malware execution. These scans can be done either manually or periodically with prevention profiles and do not require any additional features/licenses.
Here is a relevant, high-level graphic illustrating Cortex XDR file analysis:
Are you expecting dormant detection or a detonation that may have been missed by the Cortex XDR agent? Are you able to share any hash info for verification?
08-13-2022 09:40 AM
thanks a lot ,
I am looking for dormant detection.
08-17-2022 12:36 AM
Hi @Anil_Racharla ,
Cortex XDR though does dormant file detection, but it is designed to be an execution based detection and prevention solution. Often malwares or malicious files are zipped and compressed with different folders or other files(like jpg files, zip files, etc.). Changing the form factor and entity of the file also changes the property and the hashing of the file. The actual zipped/modified file may not be malicious, but upon execution it opens up a new child executable which might be a malware altogether. The resulting causality chain is malicious and should be the one to be detected and prevented accordingly.
Do check for file properties and criteria. Also, you might want to check the policy configuration of the endpoint agent you are testing the samples on.
09-01-2022 08:05 AM
Also look at the Exploit Profiles as when the virus tries to use a process to start the attack the XDR to monitor that process with an exloit profile so that you are protected from attacks that use not infected file but an application vunrability like buffer overflow etc. and the Restrictions Profiles are nice to limit the attack surface.
Also run configure automatic periodic scans for what you want:
10-13-2022 02:25 PM
If you managed to get the needed answers, please flag the question as answered.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
