This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

False Positive: Suspicious File Modification' generated by XDR Agent - Module Anti-Ransomware Protection

Rindsland
L1 Bithead

‎01-21-2022 06:13 AM

Hi we see a problem with a powershell Script we are using to clean up Profiles on some specific Remote Session Host Servers.

It will be blocked by Cortex XDR Pro and so I want to make an Exception for this.

 

Unfortunately it seems only possible to do an Alert Exception for this and so it will allow the Initiator CGO "Powershell.exe"

for the Ransomware Module in General, which seems to be a bit to dangerous for me.

 

I didn't found anything to allow just the Powershell Script + Path + Systemname (for example) instead of powershell.exe.

You can edit very granular Exclusions but it seems to be not possible to do the same for exceptions, or?

Is there maybe something other, I can do, to allow the Script without giving any powershell script free to run?

 

Kind Regards

Marcus

0 Likes Likes
6 REPLIES 6

bbarmanroy
L5 Sessionator

‎01-25-2023 11:37 PM

Hey @eumbach , you'll need to perform the action under PE and DLL examination (step 3c) and see if that meets your requirements.

0 Likes Likes

eumbach
L2 Linker
In response to bbarmanroy

‎02-22-2023 12:39 PM

That's a directory not a CGO. 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks