This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

On-write file examination / cross-platform examination for Linux

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

On-write file examination / cross-platform examination for Linux

andreal
L1 Bithead

‎06-01-2026 07:42 AM

Dear LIVEcommunity

 

Has anyone been able to test out the new Linux / MacOS cross-platform examination module? I created a new Linux Malware Profile and set the "On-write File Examination" for "Portable executable files (Windows)" to Enabled, applied it to a policy for my Linux endpoint, waited for the policy to apply and then copied a WildFire Test PE (Windows executable which should always trigger an alert) from a Windows to my Linux host via WinSCP. I did not get any Cortex XDR Alerts, and a manually initiated Cortex XDR malware scan on the Linux endpoint also did not detect the file. The Linux host has Cortex XDR Agent 9.1.0, the feature should be supported with version 8.9+

 

A closer inspection of the "wf_verdicts.db" shows my WildFire Test PE Windows Executable has a Verdict with value 6, which I cannot find in the Log Format documentation (only values 0,1,2,4,99 are defined): https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Log-formats 

 

I'm curious to see if anyone was able to successfully test this feature. 

0 Likes Likes
2 REPLIES 2

susekar
L5 Sessionator

‎06-01-2026 07:52 AM

Hello @andreal ,

 

Greetings for the day.

 

In the local wf_verdicts.db SQLite database for Cortex XDR agents (including Linux and macOS), the verdict value '6' technically maps to UnsupportedFileType .

 

WinSCP (using SFTP/SCP protocols) is considered a high-volume I/O process that can trigger the "noisy process" protection mechanism (LRU throttling) in Cortex XDR Agent 9.1.0 for Linux, potentially causing "On-Write File Examination" to be bypassed.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes

andreal
L1 Bithead
In response to susekar

‎06-01-2026 08:13 AM

Hello @susekar 

 

I appreciate the quick response! Thanks for the insight in to the verdict value 6, very interesting. 

 

As the filetype is not supported, I upgraded to Cortex XDR Agent Version to 9.2.0 (because it's a feature from the latest release - I assume the on-write-protection is a feature for Cortex XDR Agent 8.9+ but cross-platform-examination only a 9.2.0 feature) and tried to re-produce the issue. Again, no alert was created. 

However, now the verdict value changed to '3' for the new file. 

 

Is there any other protocol I could use to test out the cross-platform-examination if WinSCP is bypassing the "On-Write File Examination"? 

0 Likes Likes
  • 49 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks