About YAlhazmi

Hello everyone,   We have, many times, received alerts with cryptic names like heuristic.agb.4477 or heuristic.b.346. Imho, creating a support case and waiting for a response is inefficient. Also, expecting us to blindly accept the support engineer response on whether that is a FP or not is not acceptable. Additionally, sometimes, we work with developers and our in-house applications get flagged. We can't advice developers on how to alter the behavior of their applications if we don't have enough information. Further, in our experience, support is not always as useful as expected. Sometimes the support engineer answer is more cryptic than the alert itself. Sometimes, explaining the issue takes too much back-and-forth discussions that take too much time and effort.   Therefore, we digged a bit deeper into the logs and found out that we can read for ourselves what these cryptic names mean. To find out, download the alert data to your machine, then open the file Logs\trapsd.log. In that file, search for the cryptic alert name and you will be able to read the description of what it means. For example, one alert had the following description a heuristic behavior that process created an exe file inside a system directory which isn't a subdir,copied itself,process relaunched itself,unsigned process was created,process launched external cmd. Another alert meant "suspicious Powershell AMSI string", and so on.   We are considering making our own internal DB of these descriptions so investigators can immediately take action, instead of waiting for PAN support responses.    I am sharing this with the community because I saw multiple questions about this and most answers were a variation of "talk to support". ... View more

Hello everyone,   We have seen this alert triggering more often since last week for different causes. For example, we have an in-house developed application that launches chrome and Cortex triggers the rule: virtual_protect_hide_rwx based on this action. Any ideas if this was added lately?   The reason why it triggers on opening chrome is because the chrome process will do some memory injections itself. ... View more

Hello Everyone,   Does anyone know where I find more information about this bug:  CPATR-10685? We reported an issue where if the malware scan is running a dll cannot be loaded twice because Cortex XDR will block it and were given this bug number, but I cannot find it anywhere in the known or addressed issues.   The fact that a dll is only allowed to be accessed ONCE during a malware scan means that if a developer or automated build process build an application twice while the malware scan is running, the builds will fail because Cortex is locking the files. This is really disrupting our production.         Kind regards, Yasser ... View more

Hey everyone,   We are trying to whitelist a bulk of hashes using the Cortex XDR API (because the UI isn't working, we have an open case with support). The request always return the same error:     400 Bad CSRF Token Access is denied. This server can not verify that your cross-site request forgery token belongs to your login session. Either you supplied the wrong cross-site request forgery token or your session no longer exists. This may be due to session timeout or because browser is not supplying the credentials required, as can happen when the browser has cookies turned off. check_csrf_token(): Invalid token   This error ONLY shows up when we attempt to whitelist hashes. We can retrieve incidents and alerts using the same code (and hence same API key and ID) without any problem. The image below shows that it has key should be able to update the allow list.     The url: "https://api-{domain}/public_api/v1/hash_exceptions/allow_list/"   Any ideas are appreciated!   P.S. This is the error from the UI   ... View more