02-05-2025 11:28 PM
Hi, The alerts on XDR and very much rigid and not readable even to the support personnel, whenever I raise a case they keep checking with other teams teams and higher support levels to get details, for example how to interpret the below, it says suspicious DLL detected, however many of these DLL's are part of known applications and are intact, how to identify the reason XDR is saying suspicious.
27/01/2025 09:01:04.000 XABCN N/A Medium No XDR Agent Detected (Scanned) Malware Local Analysis Malware Suspicious DLL detected N/A N/A N/A D:\FNFC Data\Desktop\P1\Example.dll No No DS:PANW/XDR Agent, EG:-
Thanks
02-08-2025 06:59 AM
From the alert info you provided. It seems the dll is detected scanned means it was either found during periodic scan or user initiated scan. since it is a dll it wont be quarantined. It is detected by the Local analysis module so if you want to allow this dll when it is actually loaded into a process then you can either add its hash to allow list or add a legacy agent exception on pe and dll examination module and then selecting either the signer of the dll or the dll path. You can also add a disable prevention rule so that you get the alert but the dll is still allowed to run on the endpoint.
Also since it is scanned the alert will have many empty fields. When You run the relevant application and this dll is loaded then it would provide all details such as causality graph, the signers and api calls performed and so on on the causality view. Hope I covered few things that could help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
