Malware

The Cortex XDR – Analytics Malware alert indicates that a file has been identified as malware.

Synopsis

10 minutes.
5 successful Pathfinder scans of the entire network.
None.
None.
Traffic logs or (optional) Traps agents installed on endpoints.
Execution.

Description

A file has been identified by Palo Alto Networks WildFire as malware.
Malware is detected by Traps agents installed on endpoints, or by Pathfinder analyzing network traffic.
If Traps is not installed, one of several symptoms caused Pathfinder to scan an endpoint for malicious software. Anomalous network activity might have caused Pathfinder to automatically scan the endpoint. Other symptoms such as threat intelligence received by your network security team might have caused some member of your team to run a manual scan of the endpoint. As a result of the scan, Pathfinder discovered a suspicious file. Consequently, Pathfinder sent either the file or a file signature to Palo Alto Networks WildFire for analysis. WildFire has responded that the file is malware.
If a Traps agent is installed on endpoints, activity logged by Traps has been identified by Cortex XDR – Analytics as possibly generated by malware and can be verified in WildFire.
Pathfinder will not send the file to WildFire for analysis if you turned that option off in the Pathfinder configuration page.
If the malware is already known to WildFire, the malware name is identified in the alert. See the Malware detection bullet under Alert Description for this information. If the malware was not previously known to WildFire, WildFire uses Sandbox to indicate that it identified the file as malware by exercising the file locally.

Attacker's Goals

Malware is malicious software used by attackers for a variety of purposes. It is often used for automated, broad, non-targeted attacks. It can also be controlled remotely so that the attacker can use it to enable his goals in any stage of the attack lifecycle.

Investigative Actions

  • Read through the WildFire report to discover details about the malware.
  • Use the endpoint profile to look for suspicious artifacts indicative of malware activity.
  • Investigate site traffic generated by the detected malware with Cortex XDR – Investigation and Response.
  • In the Triage page, look for other endpoints that are showing this alert, and investigate them as well for a possible malware infection.

Related Documentation