Search and Destroy Malicious Files - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Cortex XDR enables you to effectively hunt down any identified malicious file that may exist on any of your endpoints.

To take immediate action on known and suspected malicious files, you can search and destroy the files. After you identify the presence of a malicious file, you can immediately destroy the file from any or all endpoints on which the file exists.

The agent builds a local database on the endpoint with a list of all the files, including their path, hash, and additional metadata. Depending on the number of files and disk size of each endpoint, it can take a few days for Cortex XDR to complete the initial endpoint scan and populate the files database. You cannot search an endpoint until the initial scan is complete and all file hashes are calculated.

After the initial scan is complete and the agent retains a snapshot of the endpoint files inventory, the agent maintains the files database by initiating periodic scans and closely monitoring all actions performed on the files.

You can search for specific files according to the file hash, the file full path, or a partial path using regex parameters from the Action Center or the Query Builder. After you find the file, you can quickly select it in the search results and destroy the file by hash or by path. You can also destroy a file from the Action Center, without performing a search, if you know the path or hash. When you destroy a file by hash, all the file instances on the endpoint are removed.

You can validate a hash against VirusTotal and WildFire to provide additional context before initializing the File Destroy action.

Note

The Cortex XDR agent does not include the following information in the local files inventory.

  • Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.

  • Information about files where the file size exceeds the maximum file size for hash calculations that are pre-configured in Cortex XDR .

  • If the Agent Settings Profile on the endpoint is configured to monitor common file types only, then the local files inventory includes information about these file types only. You cannot search or destroy file types that are not included in the list of common file types.

The following are prerequisites to enable Cortex XDR to search and destroy files on your endpoints:

Requirement

Description

Licenses and Add-ons

  • Provision an active Cortex XDR Pro per Endpoint license.

  • Ensure the Hosts Endpoint license is enabled on your tenant.

  • Ensure that the Host Insights add-on is enabled on your tenant.

Supported Platforms

  • WindowsCortex XDR agent 7.2 or a later release. If you plan to enable Search and Destroy on VDI sessions, you must perform the initial scan on the Golden Image.

  • MacCortex XDR agent 7.3 or a later release running on macOS 10.15.4 or later release.

  • Linux—Not supported.

Setup and Permissions

Search a File

You can search for files on the endpoint by file hash or file path. The search returns all instances of this file on the endpoint. You can then immediately proceed to destroy all the file instances on the endpoint or upload the file to Cortex XDR for further investigation.

You can search for a file using the Query Builder or XQL Search, or use the Action Center wizard as described in the following workflow.Query BuilderXQL Search

  1. From the Action Center select +New Action File Search.

  2. Configure the search method:

    • To search by hash, enter the file SHA256 value. When you search by hash, you can also search for deleted instances of this file on the endpoint.

    • To search by path, enter the specific path for the file on the endpoint or specify the path using wildcards. When you provide a partial path or partial file name using *, the search will return all the results that match the partial expression. Note the following limitations:

      • The file path must begin with a drive name, for example: c:\.

      • You must specify the exact path folder hierarchy, for example c:\users\user\file.exe. You must specify the exact path folder hierarchy also when you replace folder names with wildcards, by using a wildcard for each folder in the hierarchy. For example, c:\*\*\file.exe.

    Click Next.

  3. Select the target endpoints.

    Select the target endpoints on which you want to search for the file. Cortex XDR displays only endpoints eligible for file search. When you’re done, click Next.

  4. Review the summary and initiate the search.

    Cortex XDR displays the summary of the file search action. If you need to change your settings, go Back. If all the details are correct, click Run. The File search action is added to the Action Center.

  5. Review the search results.

    In the Action Center, you can monitor the action progress in real-time and view the search results for all target endpoints. For a detailed view of the results, right-click the action and select Additional data. Cortex XDR displays the search criteria, timestamp, and real-time status of the action on the target endpoints. You can:

    • View results by file (default view)Cortex XDR displays the first 100 instances of the file from every endpoint. Each search result includes details about the endpoint (such as endpoint status, name, IP address, and operating system) and details about the file instance (such as full file name and path, hash values, and creation and modification dates).

    • View the results by endpoint—For each endpoint in the search results, Cortex XDR displays details about the endpoint (such as endpoint status, name, IP address, and operating system), the search action status, and details about the file (whether it exists on the endpoint or not, how many instances of the file exist on the endpoint, and the last time the action was updated).

    If not all endpoints in the query scope are connected or the search has not completed, the search action remains in Pending status in the Action Center.

  6. (Optional) Destroy a file.

    After you located the malicious file instances on all your endpoints, proceed to Destroy a File all the file instances on the endpoint. From the search results Additional data, right-click the file to immediately Destroy by path, Destroy by hash, or Get file to upload it to Cortex XDR for further examination.

Destroy a File

When you know a file is malicious, you can destroy all its instances on your endpoints directly from Cortex XDR . You can destroy a file immediately from the File search action result, or initiate a new action from the Action Center. When you destroy a file, the Cortex XDR agent deletes all the file instances on the endpoint.

  • To destroy a file from the file search results, go to step 6 above.

  • Go to the Action Center Wizard to destroy a file.

  1. From the Action Center select +New Action Destroy File.

  2. To destroy by hash, provide the SHA256 of the file. To destroy by path, specify the exact file path and file name. Click Next.

  3. Select the target endpoints.

    Select the target endpoints from which you want to remove the file. Cortex XDR displays only endpoints eligible for file destroy. When you’re done, click Next.

  4. Review the summary and initiate the action.

    Cortex XDR displays the summary of the file destroy action. If you need to change your settings, go Back. If all the details are correct, click Run. The File destroy action is added to the Action Center.