XDR 7.6.1 seems to ignore exception

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR 7.6.1 seems to ignore exception

L0 Member

Hi, Cortex XDR Local Analysis Malware module stops a process called "ClientConsole.exe" (I guess it's a false positive)

 

I've created a global exception for that issue and checked-in client but XDR still blocks this executable.

 

In client log I read these rows:

 

2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'

 

Why XDR ignores my exceptions ????

Faber
1 REPLY 1

L3 Networker

Hi Faber, 

 

This may be due to this process not being protected by a module. By default, your exploit security profile protects endpoints from attack techniques that target specific processes. Each exploit protection capability protects a different set of processes that Palo Alto Networks researchers determine are susceptible to attack. If there are no protection modules enabled on the process, no is exception needed. Please reference Processes Protected by Exploit Security Policy (paloaltonetworks.com) for more details.

 

There are other modules where Process Exceptions will still apply, like Anti-Ransomware Protection, Child Process Protection, but for all Exploit Prevention Modules the process exception makes no difference for an unprotected process. 

 

If you're investigation has determined the process is benign, you can add the hash to the Allow List (*best practice is to whitelist by hash) and allow it to be executed on all your endpoints regardless of the WildFire or local analysis verdict. 

 

In the UI, Go to Incident Response, Response, Action Center, + New Action

jtalton_0-1654893682835.png

Enter the SHA-256 hash of the file and click jtalton_1-1654893830633.png

 

You can add up to 100 hashes at once. 
Click Next.
Review the summary and click Done.

 

Reference Manage File Execution (paloaltonetworks.com)

 

Thanks

 

If you found this answer helpful, please select Accept as Solution.
  • 2065 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!