Need Clear idea on XDR action on file

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need Clear idea on XDR action on file

L1 Bithead

Dear All ,

 

Once XDR taken action on a set of files which seems to be suspicious . Apart from Wildfire verdict , its also shows XDR action like Detected , Prevented (blocked ) .

 

How can I confirm Actual Action by XDR is Quarantine / Cleaned  / Deleted ?

 

 

1 accepted solution

Accepted Solutions

L3 Networker

Dear @Venkatesh_Konar 

 

Hope you are doing well. From your query I understand you would like to know what happens to a file once it is detected by Cortex XDR to be malicious. Please note that the action taken on the files depends on the Malware security profile configurations. 

 

Please check the malware profile which is configured for the device in question and see if it is set to Block, Report or Disabled. If it is set to Block then please check what action is to be taken on the file such as Quarantine the file or delete it. Please find the Knowledge base articles provided below on Malware security profile: 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-M...

 

Also please find the documentation on how to manage Quarantine files below, thank you: 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quar...

 

Hope this answers your query, please reply back to this thread if there is anything else I can assist you with on this query. If you find this answer to be useful, please mark it as a solution, thank you. 

View solution in original post

2 REPLIES 2

L3 Networker

Dear @Venkatesh_Konar 

 

Hope you are doing well. From your query I understand you would like to know what happens to a file once it is detected by Cortex XDR to be malicious. Please note that the action taken on the files depends on the Malware security profile configurations. 

 

Please check the malware profile which is configured for the device in question and see if it is set to Block, Report or Disabled. If it is set to Block then please check what action is to be taken on the file such as Quarantine the file or delete it. Please find the Knowledge base articles provided below on Malware security profile: 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-M...

 

Also please find the documentation on how to manage Quarantine files below, thank you: 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quar...

 

Hope this answers your query, please reply back to this thread if there is anything else I can assist you with on this query. If you find this answer to be useful, please mark it as a solution, thank you. 

L4 Transporter

Hi Venkatesh_Konar,

 

Just to add on to what @abdrahman already said, if the file was also quarantined in addition to being blocked, the action will be reported as Prevented (quarantined), but whether this is done is based on your Malware Profile configuration.  Note, XDR does not automatically delete files, only optionally quarantine them.

 

Correction, this is not shown as a part of the alert action information.  You can confirm this by going to the Action Center and clicking on File Quarantine to see the list of currently quarantined files on all endpoints.

  • 1 accepted solution
  • 1005 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!