cortex xdr - submit false positive - shuttools 1.81

Showing results for 
Show  only  | Search instead for 
Did you mean: 

cortex xdr - submit false positive - shuttools 1.81

L1 Bithead

Palo Alto I am having a problem with your program mis classifing my tool suite


as a false positive.  Its a vba macro that has previously been clearing my Microsoft and utilises some MVP code.  I depend on this to undertake my tasks and is currently being flagged as a false positive by cortex xdr.  Previously traps did cause many if at all issues.  As mentioned Microsoft have cleared a previous version of the macro.


it is critical that you take a look at this program as it performs no malicous activity, its main role is to generate documents for our shutdown planning process at work.  It also uploads source to github and a few other things however does not contain any malicous code.


I have been able to dig this out of the cortex xdr log


2020/08/15T17:42:24.260+08:00 <Info> D-13361 [3980:6344 #12:12] {trapsd:WildFire:GetVerdicts(count=145):} Uploading executable with hash '39649caafc2d41656fcf79e665a449efad0dbbc76f5a97c0491d721a76f268f1' for process path '\\?\UNC\PERFS01\CPMining\Manage Operations\Ops - Concentrator Team\4. Production General\5. Permit To Work\35.0 PTW Team Working Folders\Matt Jackson\Projects\ShutTools\Proto\Shut.Tools.1.81.docm' to URL:





Thank you for your recent inquiry about Shut Tools 1.74 (submission reference: 21f5ed08-48d7-4d0b-8e93-2a7666901857) in connection with the operation of Windows Defender.  


The new security intelligence update version 1.315.578.0 contains changes necessary to resolve your question relating to Shut Tools. New security intelligence update is now available for users who subscribe to the automatic security intelligence update mechanism, as well as users who choose to manually update their security intelligence update library.  


We encourage you to try this new security intelligence update and confirm your inquiry has been resolved.  If your machine has not been updated with this version of security intelligence update you can download and install the update manually following these steps:  




L2 Linker

Hello @thejackal were you not able to get a reply when submitting it as a WildFire Verdict review?  
I normally find this process works pretty well, if the item in question created a Incident in Cortex.  The process I normally am able to use is mentioned in this thread:


Apologies if done this already or this is not relevant to the issue your posting on.

if I can add my other 2cents to this, what I have found is that when app has not been signed by the vendor (which this one is not), its very much likely that WildFire is going to default to considering it Malware, unless a Verdict review is submitted. I have been told by PA TAC/Support folks that the best way to ensure WF has better results, is to ensure and we all request our software vendors to ensure they sign their files.

Hi @thejackal,


@KRisselada is correct.  You have two options here.  You can whitelist the file within your own environment or you can report the verdict as incorrect to WildFire.  If you report it as incorrect, members of our Unit42 team will examine the file in more depth to possibly update the verdict.  


You mentioned that you did not have issues with Traps and they the problem occurred with the current iteration of the product.  I think this is because Cortex XDR has more methods to detect threats such as the Behavioral Indicator of Compromise (BIOC).  When a certain behavior matches these rulesets, you may have additional alerts that were not there in Traps.


In any case, it is worth submitting the app for additional review since it is a needed application.  

David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

L1 Bithead

Palo Alto,

it seems after some recent updates/changes the file is again being flagged as a false positive.  I suspect as the hash has changed somewhat since last update of your system.

Would you please assist me in having this rectified as it is indeed being flagged as a false positive and is a required application to undertake my job function.  I have included the 2 most up to date versions inclusive of beta of the app.  Hopefully this should clear both versions of this from being flagged as a false positive.  Your assistance is greatly appreciated.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!