Cortex XDR not detecting malicious files

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR not detecting malicious files

L1 Bithead

Hi ,
Why Cortex XDR is not detecting malicious files which are present in system.
for testing purpose I have downloaded a test malware also but it is not reflected after the malware scan.Can anyone please give clarity on this.
Does Cortex detects malicious files only when they are  executed ?
Does Cortex XDR don't detect files which are not executed and simply lied down in the system ? In case if we want know the unexecuted Malicious files and get the alert for the same, do we need to add any other features/licenses ?

5 REPLIES 5

L3 Networker

Hi @Anil_Racharla,

 

1. Cortex XDR’s default malware policy rules utilize both pre-execution and post-execution malware protection. WildFire is used for pre-execution and executes several checks: 

  • WF static analysis

  • Machine learning

  • Dynamic analysis

  • Bare metal

The file will go to Local Analysis if there is no verdict to be found with WF. Cortex XDR post-execution malware prevention includes: behavior threat protection, anti-ransomware, password theft protection, and child process protection.

 

2. Cortex XDR malware scans check for dormant malware and differs from the protection leveraged during the malware execution. These scans can be done either manually or periodically with prevention profiles and do not require any additional features/licenses.

 

Here is a relevant, high-level graphic illustrating Cortex XDR file analysis:

 

pasted image 0.png

 

Are you expecting dormant detection or a detonation that may have been missed by the Cortex XDR agent? Are you able to share any hash info for verification?

thanks a lot ,
I am looking for dormant detection.

 

L5 Sessionator

Hi @Anil_Racharla ,

 

Cortex XDR though does dormant file detection, but it is designed to be an execution based detection and prevention solution. Often malwares or malicious files are zipped and compressed with different folders or other files(like jpg files, zip files, etc.). Changing the form factor and entity of the file also changes the property and the hashing of the file. The actual zipped/modified file may not be malicious, but upon execution it opens up a new child executable which might be a malware altogether. The resulting causality chain is malicious and should be the one to be detected and prevented accordingly. 

 

Do check for file properties and criteria. Also, you might want to check the policy configuration of the endpoint agent you are testing the samples on. 

L6 Presenter

Also  look at the Exploit Profiles as when the virus tries to use a process to start the attack the XDR to monitor that process with an exloit profile so that you are protected from attacks that use not infected file but an application vunrability like buffer overflow etc. and the Restrictions Profiles are nice to limit the attack surface.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...

 

 

Also run configure automatic periodic scans for what you want:

 

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

L6 Presenter

If you managed to get the needed answers, please flag the question as answered.

  • 4272 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!