About dfalcon

HI @TonyTovar ,   Yes, that is correct.  If you are using Prevent, the profiling component is not part of that offering.  You have all included protections available immediately.   ... View more

Hi @jchurch -   The installer should have no bearing on the policy applied.  Please check your policy rules to ensure that machines are in the correct filter -- or that they are included.   ... View more

Hi @Bruno_Alipio -   There are several pre-reqs that must be checked off before enabling an encryption policy.  They can be found here:  https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/hardened-endpoint-security/disk-encryption-using-bitlocker.html   Since you are having issues with decryption, it is best to contact Support for assistance.   ... View more

Hi @marcelocampos    Cortex XDR is going to calculate the hash of the file and check with WildFire if a verdict is known.  If it is not known, the file (depending on config) will be uploaded for several checks:  static analysis, dynamic analysis, and possible bare metal analysis.  Once it has been analyzed, that verdict will be retained by WildFire.  From that point on, if the file is deemed malware -- your option is to whitelist the file.  If you believe that the file verdict is incorrect and you want another check, you can can submit it as an incorrect verdict.  At that point, a member of our Unit 42 team, will check even deeper.   Regardless of the verdict, if you're trying to investigate what is going on -- I would locate any alerts that are raised -- right click and analyze them.  From there, you can get a great deal of information on what was / is going on.     Hope this helps. ... View more

Hi @KRisselada-   I can see that Jacqueline escalated the case to engineering.  I will subscribe to the case as well. ... View more

Hi @KRisselada-   There very well may be adjustments to rules (analytics, bioc, etc) with each release.  For the behavior you are describing, this should not be typical.  In this instance, I recommend reaching out to support/TAC to allow our engineers to take a look.  ... View more

Sounds good.  I will try to find it and up-vote it. ... View more

Hi there-   For malware, exploits, and most threats - those are blocked immediately based on your malware / exploit profile settings under the endpoint management section.   The profiling you are referencing refers to the analytics component.  That feature is essentially learning the behavior of the environment based on the computer and user entity.  It is learning who is supposed to be doing what — it raises an alert when suspicious behavior is detected based on the behavior not matching that entity.  The profiling ranges anywhere from a few days to 4 weeks based on the collector type.      ... View more

Hi there-     Assuming you have quarantine malware enabled in your malware profile, no action is needed on your part.  If enabled, the agent will quarantine the file which means that it will encrypt the file and move it to a location that is inaccessible (left there in case it needs to be restored.)  The agent will delete the malware itself based on the quota settings specified in the agent profile.   Hope this helps. ... View more

On the malware scan log.  Same thing.  Right click on the entry within the All Actions interface and select additional data.   From there, locate the entry, right-click and select View Related Alerts.     ... View more

Right click on that entry and select Additional Data. Once in the details screen, right click on the entry in the list to download the TSF.         ... View more

Hi @SimonTan-   I would actually be happy to set up a Zoom with you to look over your configuration.  Based on your screenshot from MB, I believe that you may not have Cortex XDR configured to your needs.  For instance, in your screenshot, I see a large number of Potentially Unwanted Applications.  These are not malware.  Cortex XDR can be configured to treat these the same as malware.  On the malware side, I'd be very interested in checking into these as well.     Please let me know if you would like to set up a session.   ... View more

Hi @SimonTan-   Just curious, did you try to run these binaries or leverage a scan.  What enforcement did you specify in your profiles / policy rules?  On the malware side there are several checks: WildFire WF Static Analysis Machine Learning Dynamic Analysis Bare Metal for unknown, the local analysis should do the examination at the point of execution.   In addition to the malware prevention, Cortex XDR includes behavior threat protection, anti-ransomware, password theft protection, child process protection, and approximately 30 ways to exploitation.   If you are using a scan for dormant malware, it is not the same as having all of the different protection levels that are leveraged during point of execution.  Are you able to share any hash / artifact info for verification?     ... View more