This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Inconsistent AnyDesk Detection in Cortex XDR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inconsistent AnyDesk Detection in Cortex XDR

M.Erkenci
L0 Member

‎03-21-2026 02:48 PM

Hi everyone,

I'm observing inconsistent detection behavior in Cortex XDR during weekly on-demand scans related to the AnyDesk application.

On some endpoints, AnyDesk is detected as "Suspicious executable detected", while on others no alert is generated, even though the application is present.

One common pattern we observed is that the alerts are triggered when AnyDesk is executed from the following path:
C:\Users\user123\Downloads\AnyDesk.exe

Additionally, the file hash appears to be the same across both detected and non-detected endpoints.

Why is this detection triggered on some machines while not triggered on others?

 

0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎03-23-2026 07:21 AM

Hello @M.Erkenci ,

 

Greetings for the day.

 

Inconsistent detection behavior for the AnyDesk application during on-demand or periodic scans—especially when the file hash is identical across endpoints—is usually caused by differences in policy, verdict handling, or alert visibility rather than the file itself.

 

Potential Causes for Inconsistent Detection

1. Malware Security Profile Settings (Local Analysis)

If the WildFire verdict for the AnyDesk hash is “Unknown” or “Benign – Low Confidence”, the Cortex XDR agent may rely on Local Analysis.

  • If “Run Local Analysis” is enabled, endpoints can evaluate the file differently based on:
    • Local engine state
    • Cached intelligence
  • Result: One machine flags it as suspicious, another does not.

 

2. “Treat Grayware as Malware” Setting

AnyDesk is often classified as grayware / PUA (Potentially Unwanted Application).

  • If “Treat Grayware as Malware” is:
    • Enabled → alerts like “Suspicious executable detected”
    • Disabled → no alert

Differences in this setting across profiles will directly cause inconsistent detections.

 

3. Regional WildFire Verdict Differences

Cortex XDR uses regional WildFire verdicts.

  • The same file hash may be:
    • Malicious/Suspicious in one region
    • Benign/Unknown in another

This can lead to different detection outcomes across geographically distributed endpoints.

 

4. Alert Exclusions

Detection may still occur, but alerts can be hidden.

  • If an Alert Exclusion exists for:
    • The AnyDesk file/path, or
    • The “Detected (Scanned)” action
      → The alert is suppressed in the console.

5. Digital Signer Restrictions

Executables can be flagged based on signer trust.

  • If AnyDesk’s signer is:
    • Not trusted
    • Explicitly restricted
      → The file may be marked as suspicious on some endpoints.

 

6. Path Sensitivity (Downloads / Temp)

Files executed from higher-risk directories are more likely to be flagged.

Examples:

  • C:\Users\<user>\Downloads
  • Temp directories

Same file in:

  • Downloads → more likely flagged
  • Program Files → less likely flagged

 

Recommended Troubleshooting Steps

1. Check WildFire Verdict

  • Search the SHA256 hash in Cortex XDR
  • Confirm:
    • Verdict (Malicious / Suspicious / Unknown / Benign)
    • Confidence level

2. Compare Malware Security Profiles

Review profiles assigned to affected vs. unaffected endpoints:

  • On-demand scan settings
  • Periodic scan configuration
  • Local Analysis behavior for:
    • Unknown files
    • Low-confidence benign files
  • Treat Grayware as Malware setting

 

3. Review Alert Exclusions

Navigate to:

  • Settings → Configuration → Exception Configurations → Alert Exclusions

Check for rules affecting:

  • AnyDesk filename or path
  • “Detected (Scanned)” alerts

4. Verify Digital Signer Handling

  • Inspect alert details
  • If triggered by signer restriction:
    • Add the AnyDesk signer to Trusted Signers in the Malware Profile (if appropriate)

5. Examine Agent Logs

If inconsistency persists:

  • Collect a Tech Support File (TSF)
  • Review trapsd.log for:
    • Verdict codes (e.g., unknown verdicts)
    • Connectivity issues preventing verdict updates.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 860 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks