Cortex XDR - Whitelist services in properway

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR - Whitelist services in properway

L0 Member

Hi All 😄
I'm new to Cortex XDR Hub and i'm trying to manage somes clients in the right way.

I got this situation:
There are some clients who had used IoBit - DriverBooster for the drivers installation on the machine.
A lot of services about this application it's matched like Greyware or "Bad signature"
Soo for first step i checked all the services who were blocked from Cortex, and later, i signed all of this in the default white list.

Everything works fine...but, when the application start the update the Hash signature of the services change soo i need to put the new hash in the white list again.

I Saw there is the possibility to choose the name of the services i want sign like "white list" but the question is:
If the service change name? 
I think in this case Cortex will not white list the service i would...

Is there any solution maybe i don't know? 🙂 
Thanks for all the answers 😁

2 REPLIES 2

L2 Linker

Hello @mgussoni,

 

Here's my two cents.

 

A couple of things that I believe you should consider when whitelisting.

Try to see whitelisting as a last resort, this will keep your organization safer and will slowly enforce better security practice from product development team you deal with.

 

Depending on which module is triggering the detection, the course of action could differ. Example, if Wildfire is doing the detection and you know the product is legitimate and isn't malicious/suspicious, you can challenge the verdict on the file and Palo Alto will usually change it if they agree with your suggestion in a couple of days. Now when the hash of the file changes, it most likely will match on the same detections on Wildfire unless it is a really popular product and PA adjusts their detections to tailor them to this product.

 

Usually what I would recommend is to try to have the detection resolved by the product vendor if time permits, recommending to properly sign with a trusted public SA if possible. If it is still detecting once the file signature is legitimate, then you can open a support case for Palo Alto to try to address part of a support exclusion or part of a content update push.

 

If you need to whitelist, I would recommend the hash approach over the files/folder approach considering that if someone knows that your clients have an exclusion in place for a specific folder/file path, they could leverage it for malicious activities.

 

Hash approach will indeed require you to whitelist it again when the hash of the file changes with updates but it is a more secure approach.

 

Thank you

L4 Transporter

My cent contribution:

Once you know the signature of your legit software. You can add this signer as a trusted signer. 

KR ,
Luis 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!