This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XDR command line scan

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XDR command line scan

PaulDownes
L0 Member

‎11-04-2021 08:09 AM

Hi All, I've been looking at the functionality of the cytool command line and cannot find a way to scan a particular file, which is available if you right click the file in Windows. Can anyone tell me if the ability to scan an individual file, or folder available from command line in XDR client?

Thanks, Paul

0 Likes Likes
4 REPLIES 4

kiwi
Community Team Member

‎11-09-2021 05:02 AM

Hi @PaulDownes ,

 

In order to get better traction for this, I have moved your query to the Cortex area.
I would recommend that you visit this area to see your discussion and others on Cortex.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

fmoixsante
L3 Networker

‎11-09-2021 05:10 AM - edited ‎11-09-2021 05:19 AM

Hi @PaulDownes 

 

The scan malware option is not part of the cytool commands.

 

There are some alternatives

 

  1. cytool fileinfo c:\path\to\app1.exe - process needs to be known to WF/LA
    1. this will give you information about app1.exe. you want to look for the File SHA256 value
  2. cytool wf query app1_sha256_value
    1. If you do not get a result, it means that WF/LA do not know it. At this point, you first need to upload the file to WF. You can do that by scanning the file using the mouse
    2. you could use cytool imageprep. this will look at all the volumes are upload to WF those that are unknown. This operation could take quite some time, at least the first time executed. Later imageprep scans, would take less time as only those new unknown executables will be uploaded to WF.

 

PeteJacobCF
L3 Networker

‎11-09-2021 07:00 AM

looks like looking at the official docs you can just start a scan:

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-windo...

 

I would however confirm with the tac

0 Likes Likes

PaulDownes
L0 Member

‎11-11-2021 06:22 AM

Thanks folks, all very helpful. I'm going to accept Fmoixsante's suggestion about the imageprep scan as the accepted solution, might be able to run with that. If there was something flagged on the client machine to say the scan marked the file safe / unsafe, I could possibly use that to trigger a subsequent action to admins also. I appreciate the insights from you all, thanks again.

  • 5129 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks