This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
cortex xdr - submit false positive - shuttools 1.81
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- cortex xdr - submit false positive - shuttools 1.81
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
cortex xdr - submit false positive - shuttools 1.81
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-15-2020 08:42 AM
Palo Alto I am having a problem with your program mis classifing my tool suite
Shut.Tools.1.81.docm
as a false positive. Its a vba macro that has previously been clearing my Microsoft and utilises some MVP code. I depend on this to undertake my tasks and is currently being flagged as a false positive by cortex xdr. Previously traps did cause many if at all issues. As mentioned Microsoft have cleared a previous version of the macro.
it is critical that you take a look at this program as it performs no malicous activity, its main role is to generate documents for our shutdown planning process at work. It also uploads source to github and a few other things however does not contain any malicous code.
I have been able to dig this out of the cortex xdr log
2020/08/15T17:42:24.260+08:00 <Info> D-13361 [3980:6344 #12:12] {trapsd:WildFire:GetVerdicts(count=145):} Uploading executable with hash '39649caafc2d41656fcf79e665a449efad0dbbc76f5a97c0491d721a76f268f1' for process path '\\?\UNC\PERFS01\CPMining\Manage Operations\Ops - Concentrator Team\4. Production General\5. Permit To Work\35.0 PTW Team Working Folders\Matt Jackson\Projects\ShutTools\Proto\Shut.Tools.1.81.docm' to URL:
FYI
----------
Thank you for your recent inquiry about Shut Tools 1.74 (submission reference: 21f5ed08-48d7-4d0b-8e93-2a7666901857) in connection with the operation of Windows Defender.
The new security intelligence update version 1.315.578.0 contains changes necessary to resolve your question relating to Shut Tools. New security intelligence update is now available for users who subscribe to the automatic security intelligence update mechanism, as well as users who choose to manually update their security intelligence update library.
We encourage you to try this new security intelligence update and confirm your inquiry has been resolved. If your machine has not been updated with this version of security intelligence update you can download and install the update manually following these steps:
8 REPLIES 8
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-16-2020 03:00 PM
Hello @thejackal were you not able to get a reply when submitting it as a WildFire Verdict review?
I normally find this process works pretty well, if the item in question created a Incident in Cortex. The process I normally am able to use is mentioned in this thread: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/submit-a-revision-about-false-positive-m...
Apologies if done this already or this is not relevant to the issue your posting on.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-16-2020 03:11 PM
if I can add my other 2cents to this, what I have found is that when app has not been signed by the vendor (which this one is not), its very much likely that WildFire is going to default to considering it Malware, unless a Verdict review is submitted. I have been told by PA TAC/Support folks that the best way to ensure WF has better results, is to ensure and we all request our software vendors to ensure they sign their files.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-17-2020 11:47 AM
Hi @thejackal,
@KRisselada is correct. You have two options here. You can whitelist the file within your own environment or you can report the verdict as incorrect to WildFire. If you report it as incorrect, members of our Unit42 team will examine the file in more depth to possibly update the verdict.
You mentioned that you did not have issues with Traps and they the problem occurred with the current iteration of the product. I think this is because Cortex XDR has more methods to detect threats such as the Behavioral Indicator of Compromise (BIOC). When a certain behavior matches these rulesets, you may have additional alerts that were not there in Traps.
In any case, it is worth submitting the app for additional review since it is a needed application.
David Falcon
Senior Solutions Architect, Cortex
Palo Alto Networks®
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-31-2021 09:58 AM
Palo Alto,
it seems after some recent updates/changes the file is again being flagged as a false positive. I suspect as the hash has changed somewhat since last update of your system.
Would you please assist me in having this rectified as it is indeed being flagged as a false positive and is a required application to undertake my job function. I have included the 2 most up to date versions inclusive of beta of the Shut.tools app. Hopefully this should clear both versions of this from being flagged as a false positive. Your assistance is greatly appreciated.
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks