Analytics alert indicates that an endpoint on your network contains grayware (riskware).


10 minutes
5 successful Pathfinder scans of the entire network
Traffic logs or Cortex XDR agent endpoint data
Varies by activity (High, Medium, or Low).


A file has been identified by Palo Alto Networks WildFire as grayware (sometimes known as riskware) based on WildFire analysis.
Grayware is detected by Cortex XDR agents installed on endpoints or by Pathfinder analyzing network traffic.
If a Cortex XDR agent is not installed, one of several symptoms caused Pathfinder to scan an endpoint for malicious software. Anomalous network activity might have caused Pathfinder to automatically scan the endpoint. Other symptoms such as threat intelligence received by your network security team might have caused some member of your team to run a manual scan of the endpoint.
As a result of the scan, Pathfinder discovered a suspicious file. Consequently, Pathfinder sent either the file or a signature of that file to Palo Alto Networks WildFire for analysis. WildFire has responded that the file is grayware.
If a Cortex XDR agent is installed on an endpoint, activity logged by the Cortex XDR agent has been identified by Cortex XDR as grayware.

Attacker's Goals

Grayware is software that could be malicious, depending on the context in which it is used. For example, adware and spyware could be used by an attacker to export sensitive information so it is classified as grayware. Some IT tools that potentially have legitimate usage in your enterprise is classified as grayware because it might be used by attackers for lateral movements on your network.

Investigative Actions

  • Read through the WildFire report to discover details about the grayware.
  • Identify and examine the software flagged as grayware to determine if it is being used for malicious purposes. Investigate traffic generated by the grayware further in Cortex XDR.
  • Use the endpoint profile to look for suspicious artifacts indicative of malware activity.
  • In the
    page, look for other endpoints that are showing this alert, and investigate them as well for a possible malware infection.

Recommended For You