This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Repeated False Incidents with Unknown Verdicts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Repeated False Incidents with Unknown Verdicts

V.R800240
L1 Bithead

‎06-22-2025 10:32 PM

Hi everyone,

I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious,

 

This particular one shows:

  • WF (WildFire) Verdict: Unknown

  • VT (VirusTotal): 0/64 detections

Every week, I keep seeing similar incidents, often related to legitimate services or vendors (e.g., Tata CLiQ Luxury in this case), with no solid indication of malicious behavior. Since WildFire gives an "Unknown" verdict, I can't report it for reanalysis. And as the detection rate in VirusTotal is 0/64, there’s no strong indication of threat either.

My concerns:

  1. Is there a better way to handle these rather than manually creating exceptions for each one?

  2. Can we automate the trust for such low-risk alerts based on certain conditions?

  3. Are there any best practices that can help in reducing noise from such recurring false positives?

Preview file
4 KB
0 Likes Likes
3 REPLIES 3

eluis
L4 Transporter

‎06-23-2025 06:47 AM

Hi V.R800240,

 

There has to be a reason why SF did not answer with a verdict. 

Maybe there was a problem when trying to load the sample into sandbox, or sandbox could not execute the file.... 

Further investigations should be make so please feel free to open a TAC support case. 

 

In the meantime you can add the hash to allow list to prevent the incidents to be opened, after TAC gives you a final solution, remember to clean your allow list from temporary hashes. 

 

Feel free to click on like the answer if this helped you. 

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

 

KR, 

Luis

 
0 Likes Likes

V.R800240
L1 Bithead
In response to eluis

‎06-23-2025 08:54 PM

Ok. Thanks for the update. I'll create a TAC case.

0 Likes Likes

eluis
L4 Transporter

‎06-24-2025 06:13 AM

Hi again, 

I could not find on our labs a case in which we have unknown verdict. 

When you go to unknown verdict could you tweak it as grayware ? and then wait for a response from our analysts ?

That might work too if you have the possibility while TAC is working on this

Feel free to click on like the answer if this helped you. 

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

 

KR, 

Luis

 
0 Likes Likes
  • 348 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Related Content
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks