XDR AV Scan Alerts/Incidents

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR AV Scan Alerts/Incidents

L3 Networker

Hello Team,

 

During AV scan, everytime we are recieving cache file is detected from the different hosts and filename and Hash is same. The file verdict is Benign.

 

Help me how can I address this file. As it is a temporary file.

6 REPLIES 6

L5 Sessionator

Hello Ramyashree,

 

Thank you for writing to live community.

 

Could you please confirm whether you have checked which application is creating the cache file. Is that file creating in same location or different location?

 

Regards

 

Ashutosh Patil

Microsoft Edge is creating the cache file and file creating on same location.

L5 Sessionator

Hello @RamyashreeMada ,

You can check with Microsoft or lookup the hash on Virus Total. As Hash and file name is same, you can create an exclusion or add it to the allow list.

 

Note: Exclusion are done on the organizational decision.

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you. 

Ashutosh Patil

Hi @RamyashreeMada , 

 

To just add to previous responses. There is a possibility that these cached files are removed after some time and by the time WF verdict is generated the endpoint fails to take the update in the local cache as the file is no more available. Also, I would like to know if you see the verdict as "Benign" or it says "Benign LC" ? Benign LC means that the WF is not confident on the verdict and lets Local analysis module examine the file and take a decision. However, local analysis engine declares this as a malware and hence the alert event. In these corner cases, making allow lists is good to go on SHA256 level.  

 

In such cases you can report the verdict as incorrect and request re-examination of the file manually. The next time, the verdict should come as a solid verdict ("Benign" or "Malware"). 
Though your query is slightly broad by nature, it would be narrowed down with some screenshots if you could be able to provide one. The screenshots below are not same. Hence, you might want to check for this.

 

Screenshot 2023-11-09 at 11.11.54 PM.png

Screenshot 2023-11-09 at 11.13.56 PM.png

 

Another possibility, I would be more interested in knowing if this is constantly being faced by endpoints of a specific agent version or is it across? This is something that I am considering that the verdict is a solid "Benign" and not "Benign LC". 

The reason being is that we have historically had a known issue on the endpoints where they failed to update the WF local cache on the endpoint and the solution was to upgrade XDR agents to the releases fixing this issue. I would also recommend taking up some alert dump files for the same SHA256 prevention event on the endpoint and a TSF from the endpoint and opening a support case for the same.

 

Hope this helps! Please mark the response as "Accept as Solution" if it answers your query.

 

 

Thanks for the information.

 

Please find the details below:

The file verdict is "Benign LC".
Currently we are using 8.0.2 agent version on all endpoints.

Makes sense now. So, you need to either whitelist the hash for the time being and then report the verdict as incorrect.

 

Steps below:

 

rtaImage.png

  1. Log into Cortex XDR/XSIAM; in the Incident with a wrong verdict for a sample
  2. Open detailed WildFire Analysis Report for the sample with the wrong verdict,
  3. Use a button “Report Verdict as Incorrect” to open a new menu. Add your comments with proper verdict chosen and simply mention in the comments as "This is categorised as Benign LC and seems to Edge cache files. Please review and verdict accordingly. I am selecting <your choice of verdict> verdict for now"
  4. Fill in the Verdict Change Request with a suggestion of a new verdict, your contact email, and a short explanation why you believe this verdict is incorrect. After the manual review is completed, a report will be sent to the email address you used here.
  5. Once the verdict is recieved and if found benign, then it is converted to solid benign and you can remove the SHA256 from your allowlist

Hope this clarifies.

  • 1071 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!