- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-17-2020 09:30 PM
Hello
i see alert malware in incident report . how i can delete malware from Cortex XDR admin portal.
Agent version 7.0.2
07-21-2020 03:35 PM
hello @PKhemarith perhaps I am not understanding your question or task requirement, but is this what is being asked?
"Retrive Files from an Endpoint"
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...
I found the above in the Cortex XDR Pro Administrators Guide
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin.html
07-21-2020 04:31 PM
Hi there-
Assuming you have quarantine malware enabled in your malware profile, no action is needed on your part. If enabled, the agent will quarantine the file which means that it will encrypt the file and move it to a location that is inaccessible (left there in case it needs to be restored.) The agent will delete the malware itself based on the quota settings specified in the agent profile.
Hope this helps.
02-18-2022 08:09 AM - edited 02-18-2022 08:54 AM
Similar to above question is there a equivalent Palo Cortex tool as below from Microsoft ?
Also if we do not have Quarantine = Yes then does the file stay infected or is it cleaned and left there ?
Also unable to understand the link between the question and ' quota settings specified in the agent profile' ? How is it related ?
Overall I see Cortex talks of always protection ( blocking ) and Quarantine , so what about cleaning a infected file ?
02-21-2022 07:25 PM
Hi @Balaraju, quarantined files will need to be unquarantined manually.
The process of "cleaning a file" is very subjective. The file could be malicious by nature, or can be affected by a malicious process, among others. An example of that would be a ransomware attack. While the ransomware file is malicious and needs to be removed from the host, files affected by the ransomware are encrypted on disk and needs a decryption key for "restoring". The process of "cleaning" ensures a complete disk-wipe, and additional investigative and forensic activities to understand the limit of attack, exposure and compromise while figuring out the remediation plan including restoring from backups and enforcing stricter security controls to prevent such activities. This requires human intervention and analysis.
02-21-2022 10:02 PM
Hi @SimonTan how about leveraging the existing capabilities of XDR to search and delete a file? Take a look at https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...
If you don't have Host Insights, you can write your own custom Python script for search files by names or hashes and delete them. See it here: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!