Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

XDR command line scan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XDR command line scan

L0 Member

Hi All, I've been looking at the functionality of the cytool command line and cannot find a way to scan a particular file, which is available if you right click the file in Windows. Can anyone tell me if the ability to scan an individual file, or folder available from command line in XDR client?

Thanks, Paul

4 REPLIES 4

Community Team Member

Hi @PaulDownes ,

 

In order to get better traction for this, I have moved your query to the Cortex area.
I would recommend that you visit this area to see your discussion and others on Cortex.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L3 Networker

Hi @PaulDownes 

 

The scan malware option is not part of the cytool commands.

 

There are some alternatives

 

  1. cytool fileinfo c:\path\to\app1.exe - process needs to be known to WF/LA
    1. this will give you information about app1.exe. you want to look for the File SHA256 value
  2. cytool wf query app1_sha256_value
    1. If you do not get a result, it means that WF/LA do not know it. At this point, you first need to upload the file to WF. You can do that by scanning the file using the mouse
    2. you could use cytool imageprep. this will look at all the volumes are upload to WF those that are unknown. This operation could take quite some time, at least the first time executed. Later imageprep scans, would take less time as only those new unknown executables will be uploaded to WF.

 

L3 Networker

looks like looking at the official docs you can just start a scan:

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-windo...

 

I would however confirm with the tac

L0 Member

Thanks folks, all very helpful. I'm going to accept Fmoixsante's suggestion about the imageprep scan as the accepted solution, might be able to run with that. If there was something flagged on the client machine to say the scan marked the file safe / unsafe, I could possibly use that to trigger a subsequent action to admins also. I appreciate the insights from you all, thanks again.

  • 5010 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!