Wildfire Test File

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildfire Test File

L2 Linker

Has anyone had issues with the Wildfire Test file not showing up as an alert in the cloud? On the workstation it's getting blocked just fine. I haven't had a regular alert fire in about 2 months. Just wondering if I have an underlying communication issue. Also looked at the logs to verified no proxies are setup.

4 REPLIES 4

L4 Transporter

Hi @Chris_Dietz 


Thank you for writing to Live Community.

What you’re describing could stem from a variety of reasons.

1. You mention you have not seen an alert in months, are you using the same test pe file on both machines? Have you tried downloading a  new test pe file and checking if it generates alerts in your cloud environment?

2. If downloading a new file does not trigger the alerts again, please take a look at the alert exclusions configurations by going into Settings → Exception Configuration → Alert Exclusions  and check if there’s an existing rule to suppress this type of alerts.

3. If you did not find it under alert exclusion, please go into IOC/BIOC suppression settings by going into Settings → Exception Configuration → IOC/BIOC Suppression Rules and make sure there is no suppression rule set to prevent the test pe file from running.


4. You raised concerns about the file not getting blocked. Can you log into your VM and try a custom scan? You can initiate a scan on demand to examine a specific file or folder. If there aren’t any settings allowing this specific file to run (hash-allow list or exception) it should be blocked.

Please let me know if any of these steps helped!

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

Hi, yes I tried the same test pe file on both machines. I downloaded a fresh copy to see if anything changed, and it had not. Verified no exceptions this morning in both places you recommended. Currently running a malware scan now to see if it will pick it up.

 

The strange thing is that it will block it on the local machine, however I'm not getting a cloud alert for it. I noticed that there was a hot fix CPATR-18853 that might have something to do with it. Any ideas on what to do from here?

Also ran a custom scan on the file itself. It identifies correctly as a suspicious file, however the alert is not getting to the cloud and I'm not getting an email notification. Thanks for the steps. I'm going to make some notes and initiate a support ticket.

L4 Transporter

Thanks for sharing @Chris_Dietz.

In this instance, a support ticket would indeed be more useful, as you'd be able to share with us screenshots and configurations you wouldn't want to exposed in a public forum.


Just a quick note - email notification exclusions are different than alert exclusions. However, if you're not seeing the alert at all then a support ticket is still warranted.

Hope you are able to solve this quickly.


Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

  • 1864 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!