06-22-2023 02:21 PM
Hello dear community,
what means Detected (Post Detected)?
In our case, we see pdfpower.exe incidents popping up, the user says he didn't download anything to the incident time.
I think, the agent is scanning the OS, when there is allready a quarantaine or blacklist entry?
What do you think?
BR
Rob
09-22-2023 03:07 AM
"Prevented (Post Detected)" indicates that the verdict for a process has been changed to malware from benign and an agent terminated because the process was still running.
While "Detected (Post Detected)" as shared above by @nsinghvirk indicates that the verdict for a process has been changed to malware from benign and that process was executed in the past but not running anymore.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
06-23-2023 07:54 AM
Hello @RFeyertag
Detected (Post Detected) means that a particular file was earlier detected and since then its verdict has flipped from benign to malware. This happens when XDR waits for wildfire verdict for file whose's verdict is unknown and meanwhile Local Analysis has given a benign verdict, later wildfire comes with malware verdict. File was already executed and XDR generates a high severity alert with action as Detected (Post Detected).
09-21-2023 11:34 PM
What does Prevented (Post detected) mean?
09-22-2023 03:07 AM
"Prevented (Post Detected)" indicates that the verdict for a process has been changed to malware from benign and an agent terminated because the process was still running.
While "Detected (Post Detected)" as shared above by @nsinghvirk indicates that the verdict for a process has been changed to malware from benign and that process was executed in the past but not running anymore.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
09-22-2023 08:24 AM
Thank you very much for this clarification!
BR
Rob
02-12-2025 01:30 AM
I have a similar "Detected" (Post Detected) case where the WildFire verdict has changed. However, the initial execution of the executable file dates back to three months ago. The file was already submitted to VirusTotal (first submission date: 2009) and is detected by multiple vendors as malware (VirusTotal - File - 52f28b84699922bb7be7621581e7133ee3d34a34f41e4bc779357c6ec8ca09b7).
My question is: Does Cortex solely rely on WildFire detection to block malware, or does it also consider other intelligence sources? In my case, it doesn't seem to be the latter.
02-26-2025 10:45 PM - edited 02-26-2025 10:46 PM
Hi @PiyushKohli,
Even though that file was previously on the computer but is no longer present, is the post detected alert still being triggered?
02-26-2025 11:06 PM
Hi @Arman_Zaheri and @Aristooo
Please find update to your query.
For this query: "Does Cortex solely rely on WildFire detection to block malware, or does it also consider other intelligence sources? In my case, it doesn't seem to be the latter." Answer is No. Wildfire is just one protection module, Cortex XDR has a multi layer of defense approach that allow us to look at an activity from different angles and in different timestamps of the threat. Wildfire in this case is just for pre-execution, even if execution happens XDR agent will monitor the behavior and can detect/prevent the malicious activity. Hope this clarifies.
@Aristooo to your query "Even though that file was previously on the computer but is no longer present, is the post detected alert still being triggered?" Alert will triggered if there was an execution of that file, and in scenario if there was no execution then there won't be any alert as that file is just sitting on disk.
Hope this helps and clarifies!
02-26-2025 11:26 PM
@PiyushKohli thank you for your response.
The interesting thing is that I deleted that file several months ago. There is also no regular application related to the file on the computer. However, today the post-detection alert was triggered.
02-27-2025 12:14 AM
Hi @PiyushKohli ,
My question was, why Cortex didn't block the file or raise an alert despite the fact that at the time of execution, the VirusTotal's verdict was malicious for that file, but Cortex still decided not to raise an alert for it. So, to me, it seems that Cortex's internal mechanisms did not take VirusTotal's verdict into account in this particular case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
