cortex xdr - submit false positive - shuttools 1.81

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

cortex xdr - submit false positive - shuttools 1.81

L1 Bithead

Palo Alto I am having a problem with your program mis classifing my tool suite

Shut.Tools.1.81.docm

as a false positive.  Its a vba macro that has previously been clearing my Microsoft and utilises some MVP code.  I depend on this to undertake my tasks and is currently being flagged as a false positive by cortex xdr.  Previously traps did cause many if at all issues.  As mentioned Microsoft have cleared a previous version of the macro.

 

it is critical that you take a look at this program as it performs no malicous activity, its main role is to generate documents for our shutdown planning process at work.  It also uploads source to github and a few other things however does not contain any malicous code.

 

I have been able to dig this out of the cortex xdr log

 

2020/08/15T17:42:24.260+08:00 <Info> D-13361 [3980:6344 #12:12] {trapsd:WildFire:GetVerdicts(count=145):} Uploading executable with hash '39649caafc2d41656fcf79e665a449efad0dbbc76f5a97c0491d721a76f268f1' for process path '\\?\UNC\PERFS01\CPMining\Manage Operations\Ops - Concentrator Team\4. Production General\5. Permit To Work\35.0 PTW Team Working Folders\Matt Jackson\Projects\ShutTools\Proto\Shut.Tools.1.81.docm' to URL:

 

 

FYI

----------

Thank you for your recent inquiry about Shut Tools 1.74 (submission reference: 21f5ed08-48d7-4d0b-8e93-2a7666901857) in connection with the operation of Windows Defender.  

 

The new security intelligence update version 1.315.578.0 contains changes necessary to resolve your question relating to Shut Tools. New security intelligence update is now available for users who subscribe to the automatic security intelligence update mechanism, as well as users who choose to manually update their security intelligence update library.  

  

We encourage you to try this new security intelligence update and confirm your inquiry has been resolved.  If your machine has not been updated with this version of security intelligence update you can download and install the update manually following these steps:  

 

 

8 REPLIES 8

L2 Linker

Hello @thejackal were you not able to get a reply when submitting it as a WildFire Verdict review?  
I normally find this process works pretty well, if the item in question created a Incident in Cortex.  The process I normally am able to use is mentioned in this thread:    https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/submit-a-revision-about-false-positive-m...

 

Apologies if done this already or this is not relevant to the issue your posting on.

if I can add my other 2cents to this, what I have found is that when app has not been signed by the vendor (which this one is not), its very much likely that WildFire is going to default to considering it Malware, unless a Verdict review is submitted. I have been told by PA TAC/Support folks that the best way to ensure WF has better results, is to ensure and we all request our software vendors to ensure they sign their files.

Hi @thejackal,

 

@KRisselada is correct.  You have two options here.  You can whitelist the file within your own environment or you can report the verdict as incorrect to WildFire.  If you report it as incorrect, members of our Unit42 team will examine the file in more depth to possibly update the verdict.  

 

You mentioned that you did not have issues with Traps and they the problem occurred with the current iteration of the product.  I think this is because Cortex XDR has more methods to detect threats such as the Behavioral Indicator of Compromise (BIOC).  When a certain behavior matches these rulesets, you may have additional alerts that were not there in Traps.

 

In any case, it is worth submitting the app for additional review since it is a needed application.  


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

L1 Bithead

Palo Alto,

it seems after some recent updates/changes the file is again being flagged as a false positive.  I suspect as the hash has changed somewhat since last update of your system.

Would you please assist me in having this rectified as it is indeed being flagged as a false positive and is a required application to undertake my job function.  I have included the 2 most up to date versions inclusive of beta of the Shut.tools app.  Hopefully this should clear both versions of this from being flagged as a false positive.  Your assistance is greatly appreciated.

Since rectifying a previous issue with your system identifying shut tools app as a false positive.  It has again popped up as a false positive.  I suspect this has been re-triggered as the original hash has possibly changed somewhat since it has been updated slightly with new functionality.  Or for some reason you have removed exclusion from your latest update. 

 

As I require this tool to undertake my job function.  Would you please take a look at the 2 zipped versions of the tools inclusive of the latest beta version.  Once you are satisfied it does not indeed contain any malicious code would you please update your wildfire engine to not flag it as a false positive.  

Your assistance is greatly appreciated.  I am unable to add an exclusion directly in our environment.  

Thank you

Hi @thejackal -

 

Have you submitted an incorrect verdict submission for this?  You can do this from the WildFire interface in the incident.


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

David,

 

I do not have access to the Cortex XDR or wildfire interface.  As such I require this to be cleared at a product/signature level.  This has been performed in past by your team however I suspect with some evolution of code it has changed the hash.

 

Would you please assist me in having it cleared by your team.  Kaspersky has already indicated last night it would be cleared in there latest update.  Feel free to peruse the code within.

 

Cheers

 

Matt

 

 

Your SOC admin who have access to Cortex XDR can definitely override the verdict or report as incorrect and or whitelist the file.

Below is how to report WF verdict as incorrect. 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/investigation-and-respo...

  • 8531 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!