What does it mean Prevented(Blocked) by the Agent XDR?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What does it mean Prevented(Blocked) by the Agent XDR?

L1 Bithead

Hi all,

 

What does the Prevented (Blocked) action of the XDR agent mean? Does the user receive/see any notification?

 

And, how do I prevent the XDR agent from blocking that key artifact?

 

Thank you,

David. 

3 REPLIES 3

L2 Linker

Hi, 

 

Based on the policy XDR agent blocks any file which has a verdict as Malware, When the file is blocked user should receive a message from XDR agent pop up window and the same will be reported as alert in XDR Console. You can disable blocking of a file with malware verdict by adding it to allow list or you can also set policies to stop blocking files in a location or type/extension etc based on your requirement - check out this link for allow list

Hi Sramesh-7,

Thank you for your quick response.

 

I added the file to the allow List, which it comes from WildFire Malware.

Some days later, I get a new incident only involved with this Key artifact but from Local Analysis Malware (although the key artifact is in the allow list).
The threat intelligence catalog it as malware. 

 

Is that the behaviour expected? What can I do? 

Thank you,

David. 

 

 

Hi @david.hernandez  XDR offers a multi-layer approach to secure your environment, so it is important to understand the file analysis and protection flow (E.g.  Phase 3: Hash Verdict Determination). Additional considerations are to review WildFire analysis details, and if you know the WildFire is incorrect, then you can report an incorrect verdict to Palo Alto Networks to request a verdict change. 

  • 4452 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!