1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ Pro Administrator’s Guide
    5. Investigation and Response
    6. Response Actions
    7. Search and Destroy Malicious Files

    Search and Destroy Malicious Files

    To take immediate action on known and suspected malicious files, you can now search and destroy the files from the Cortex XDR management console. After you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
    The Cortex XDR agent builds a local database on the endpoint with a list of all the files, including their path, hash, and additional metadata. Depending on the number of files and disk size of each endpoint, it can take a few days for Cortex XDR to complete the initial endpoint scan and to populate the files database. You cannot search an endpoint until the initial scan is complete and all file hashes are calculated. After the initial scan is complete and the Cortex XDR agent retains a snapshot of the endpoint files inventory, the agent maintains the files database by initiating periodic scans and closely monitoring all actions performed on the files.
    You can search for specific files according to the file hash, the file full path, or a partial path using regex parameters from the Action Center or the Query Builder. After you find the file, you can quickly select it in the search results and destroy the file by hash or by path. You can also destroy a file from the Action Center, without performing a search, if you know the path or hash. When you destroy a file by hash, all the file instances on the endpoint are removed.
    The Cortex XDR agent does not include in the local files inventory the following:
    • Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.
    • Information about files where the file size exceeds the maximum file size for hash calculations that is preconfigured in Cortex XDR.
    • If the Agent Settings Profile on the endpoint is configured to monitor common file types only, then the local files inventory includes information about these file types only. You cannot search or destroy file types that are not included in the list of common file types.
    The following are prerequisites to enable Cortex XDR to search and destroy files on your endpoints:
    Requirement
    Description
    Licenses and Add-ons
    • Provision an active Cortex XDR Pro per Endpoint license.
    • Ensure the Host Insights Add-on is enabled on your tenant.
    Supported Platforms
    • Windows
      —Cortex XDR agent 7.2 or a later release.
    • Mac
      —Cortex XDR agent 7.3 or a later release running on macOS 10.15.4 or a later release.
    • Linux
      —Not supported.
    Setup and Permissions
    • Ensure File Search and Destroy is enabled for your Cortex XDR agent.
    • Ensure your Cortex XDR role in the hub has File search and Destroy files permissions.

    Search a File

    You can search for files on the endpoint by file hash or file path. The search returns all instances of this file on the endpoint. You can then immediately proceed to destroy all the file instances on the endpoint, or upload the file to Cortex XDR for further investigation.
    1. From the Action Center select
      +New Action
      File Search
      .
    2. Configure the search method:
      • To search by hash, enter the file SHA256 value. When you search by hash, you can also search for deleted instances of this file on the endpoint.
      • To search by path, enter the specific path for the file on the endpoint or specify the path using wildcards. When you provide a partial path or partial file name using *, the search will return all the results that match the partial expression. Note the following limitations:
        • The file path must begin with a drive name, for example:
          c:\
          .
        • You must specify the exact path folder hierarchy, for example
          c:\users\user\file.exe
          . You must specify the exact path folder hierarchy also when you replace folder names with wildcards, by using a wildcard for each folder in the hierarchy. For example,
          c:\*\*\file.exe
          .
      Click
      Next
      .
    3. Select the target endpoints.
      Select the target endpoints on which you want to search for the file. Cortex XDR displays only endpoints eligible for file search. When you’re done, click
      Next
      .
    4. Review the summary and initiate the search.
      Cortex XDR displays the summary of the file search action.If you need to change your settings, go
      Back
      . If all the details are correct, click
      Run
      . The File search action is added to the Action Center.
    5. Review the search results.
      In the Action Center, you can monitor the action progress in real-time and view the search results for all target endpoints. For a detailed view of the results, right-click the action and select
      Additional data
      . Cortex XDR displays the search criteria, timestamp, and real-time status of the action on the target endpoints. You can:
      • View results by file (default view)
        —Cortex XDR displays the first 100 instances of the file from every endpoint. Each search result includes details about the endpoint (such as endpoint status, name, IP address, and operating system) and details about the file instance (such as full file name and path, hash values, and creation and modification dates).
      • View the results by endpoint
        —For each endpoint in the search results, Cortex XDR displays details about the endpoint (such as endpoint status, name, IP address, and operating system), the search action status, and details about the file (whether it exists on the endpoint or not, how many instances of the file exist on the endpoint, and the last time the action was updated).
      file-search-action-center.png
      If not all endpoints in the query scope are connected or the search has not completed, the search action remains in Pending status in the Action Center.
    6. (
      Optional
      ) Destroy a file.
      After you located the malicious file instances on all your endpoints, proceed to destroyall the file instances on the endpoint. From the search results
      Additional data
      , right-click the file to immediately
      Destroy by path
      ,
      Destroy by hash
      , or
      Get file
       to upload it to Cortex XDR for further examination.

    Destroy a File

    When you know a file is malicious, you can destroy all its instances on your endpoints directly from Cortex XDR. You can destroy a file immediately from the File search action result, or initiate a new action from the Action Center. When you destroy a file, the Cortex XDR agent deletes all the file instances on the endpoint.
    • To destroy a file from the file search results, refer to Step 6 above.
    • To destroy a file from the Action Center wizard:
    1. From the Action Center select
      +New Action
      Destroy File
      .
    2. To destroy by hash, provide the SHA25 of the file. To destroy by path, specify the exact file path and file name. Click
      Next
      .
    3. Select the target endpoints.
      Select the target endpoints from which you want to remove the file. Cortex XDR displays only endpoints eligible for file destroy. When you’re done, click
      Next
      .
    4. Review the summary and initiate the action.
      Cortex XDR displays the summary of the file destroy action. If you need to change your settings, go
      Back
      . If all the details are correct, click
      Run
      . The File destroy action is added to the Action Center.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo