07-04-2025 02:10 AM
A false positive has been detected for HelpDeskViewer.exe. Please resolve this.
File Hash: <930c1015432e568f00a8c9b68c71d015510be57a6dc1d8d76a08c8ddf22ac1c4>
Link to Virustotal report for the file: <https://www.virustotal.com/gui/file/ec9eebf141d9f9a6bfc29b7de82f39a94286f05dcc85088d1c0d6e022fd76290...>
Current VirustTotal Verdict: <Generic.ml>
Description: <RemotePC HelpDesk equips organizations with a fast and simple remote support platform to address customer queries. With HelpDesk, you can enable your technicians to remotely connect to customer PC, Mac, Linux, iOS, Android devices, and servers and offer real-time support. The technicians can also share their screen for product demonstrations, online training, etc. Technicians do not require any additional software installation to start remote support sessions.>
Website: <https://www.remotedesktop.com/remote-desktop-helpdesk/>
Please let us know if more information is required. @DaBone
07-04-2025 11:07 AM
Here's the short way to resolve the false positive for HelpDeskViewer.exe in Cortex XDR:
Problem: HelpDeskViewer.exe (RemotePC) is a legitimate tool but flagged as Generic.ml (false positive).
Solution: Create an Exclusion Policy in Cortex XDR.
Go to Security Profiles > Exclusions in Cortex XDR.
Add a new Exclusion.
Select Hash as the exclusion type.
Paste the file hash: 930c1015432e568f00a8c9b68c71d015510be57a6dc1d8d76a08c8ddf22ac1c4
Apply to relevant detection modules (e.g., Behavioral Threat Protection, Malware Security).
Assign this exclusion profile to your Security Policy.
This tells Cortex XDR to ignore this specific file by its unique identifier.
07-06-2025 10:16 PM
@Mudhireddy I do not have a Cortex XDR account.
Are there any other options for resolving this issue?
I work as a developer for HelpDesk. The false positive detection is affecting us.
Please advise further.
07-07-2025 12:55 AM
Primary and Most Effective Option: Submit a False Positive (FP) Request to Palo Alto Networks
As the software developer, you are in the best position to provide the necessary information to Palo Alto Networks (the vendor of Cortex XDR) to have their detection engine updated.
Gather All Relevant Information (You've already done much of this!):
File Name: HelpDeskViewer.exe
File Hash (SHA256): 930c1015432e568f00a8c9b68c71d015510be57a6dc1d8d76a08c8ddf22ac1c4
Product Name: RemotePC HelpDesk
Description of your software's function: (You provided this: "RemotePC HelpDesk equips organizations...")
Official Website: https://www.remotedesktop.com/remote-desktop-helpdesk/
VirusTotal Link: https://www.virustotal.com/gui/file/ec9eebf141d9f9a6bfc29b7de82f39a94286f05dcc85088d1c0d6e022fd76290...
Current VirusTotal Verdict: Generic.ml (or any other specific engine detections)
Digital Signature Information: This is CRUCIAL. Provide details about your code signing certificate (signer name, issuer, timestamp). This proves the file's authenticity. If your software is not signed, that should be a priority for your team.
Context: Explain that this is a legitimate remote access tool, and these types of tools sometimes get flagged due to their capabilities.
Locate Palo Alto Networks' False Positive Submission Portal/Process:
Palo Alto Networks usually has a dedicated portal or email address for submitting false positives for their security products (WildFire, Cortex XDR, Threat Prevention).
A good starting point would be their support portal or public website. Search for "Palo Alto Networks false positive submission" or "WildFire false positive."
Try this link: Often, false positives for WildFire (which feeds Cortex XDR and Threat Prevention) can be submitted through the WildFire portal: https://wildfire.paloaltonetworks.com/wildfire/submit
You might need to create a basic account or use a public submission option.
Clearly state it's a false positive in the comments.
Submit the Sample and Information:
Follow the instructions on their portal to submit the HelpDeskViewer.exe file.
Crucially, in the submission notes/comments, provide ALL the information you've given me. Explain that it's a legitimate application, describe its purpose, include the website, and especially highlight that it's digitally signed (if it is) and by whom. Request that it be whitelisted.
Follow Up:
Keep a record of your submission. You might receive a case number.
If you don't hear back within a reasonable timeframe (e.g., a few business days), you might try to follow up through their general support channels, referencing your submission details.
07-07-2025 02:44 AM
@Mudhireddy Thank you for your explanation and steps.
I logged into the Wildfire portal but couldn't find any instructions for submitting the file as a false positive.
@DaBone used to solve the problem when I shared the application information. Could you please offer the same resolution?
07-07-2025 11:42 AM
Here are the general steps to submit a file to WildFire and mark it as a potential false positive (or benign sample):
Log in to the WildFire Portal:
Go to the official WildFire portal URL: https://wildfire.paloaltonetworks.com
Log in with your Palo Alto Networks support account credentials.
Navigate to the File Submission Section:
Once logged in, look for options like "Submissions," "Upload," "Analyze," or a similar button/menu item.
Often, there's a prominent "Upload File" or "Submit File" button on the main dashboard.
Upload the File:
Click on the submission option.
You will typically be presented with an interface to either drag and drop your file or browse your computer to select the file you wish to submit.
Select the file you believe is a false positive.
Mark as False Positive/Provide Context:
This is the crucial step for false positives. After selecting the file, before final submission, there should be options to provide more context.
Look for fields like:
"Analysis Reason" / "Submission Purpose": Select "False Positive" or "Benign Sample" if these options are available.
"Comments" / "Description": This is very important. Provide as much detail as possible here. Explain:
Why you believe it's a false positive.
What the application is, what it does.
Where it came from.
Any specific hashes (MD5, SHA256) if you have them.
Any unusual behavior observed that led to the detection, and why you believe it's legitimate.
"Tags": You might be able to add tags like "FalsePositive," "LegitimateApp," etc.
Submit the File:
Review all the information you've provided.
Click the "Submit" or "Analyze" button to upload the file to WildFire.
Monitor Status:
After submission, you will usually get a submission ID and can track the analysis status in the "My Submissions" or "Submissions History" section of the portal.
WildFire will re-analyze the file, and if they confirm it's a false positive, they will update their signatures. This process can take some time.
If you're still having trouble finding these specific options within the WildFire portal, please describe what you are seeing on the submission page, and I can try to guide you more precisely.
07-07-2025 01:59 PM
Hello,
Please note there is no SLA on this forum. We do this as a courtesy for non-customers. Also, Friday, when you posted your first comment, was a holiday in the US.
I have submitted this file for review.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
