- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-02-2022 07:37 AM
Greetings ,
I am using Cortex XDR Prevent and keen to know how most decisions are made by Cortex XDR about File/process/macro being malicious or not ? So assume there are no Hash exceptions and need to know if below is true :
- First Wildfire cache is checked and if verdict for sample is available ,its used and it becomes final
-Second if sample is not in Wildfire cache then static analysis is done and its decision is used and parallelly sample is sent for WildFire analysis and once verdict is received it takes priority over static analysis and if WildFire verdict is 'Unknown' then Static Analysis verdict is final . Also till the time verdict is received from Wildfire the local analysis verdict is valid .
Can somebody confirm if above is true understanding or if Iam wrong anywhere ?
Secondly will appreciate if any statistical information is shared about above like in most cases whose verdict is used in most cases ? between Static Analysis and Wildfire .
Thirdly need to know how often are verdicts different and are they same in most cases ?
Thanks in advance .
03-02-2022 08:56 PM
Hi @Balaraju this depends on the configuration of your Malware profiles.
Assuming your profile is configured with Wildfire (WF) analysis enabled and configured to blocl/report for known samples or run Local Analysis for unknown verdicts, your explanation is correct for both points. However, this does not include the reaction of post-execution modules like Behavioral Threat Protection, ransomware, NPI etc. Even if WF verdicts are benign, post-execution modules will continue to operate independently and can mitigate threats in-flight.
I don't have any statistical data at hand - but again, it depends on the tenant configuration. Some organizations might have WF disabled, and thus, solely depend on Local Analysis verdicts. Verdicts can vary between industry verticals, types of software used, internet access control (air-gapped systems vs direct internet exposure), administrative rights of endpoint user, firewall configurations and the list goes on. So, it depends!
Please refer to this detailed documentation on Cortex XDR file analysis and protection flows: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/analy...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!