Search and Destroy Malicious Files
Cortex® XDR™ enables you to effectively hunt down any identified malicious file that may exist on any of your endpoints.
To take immediate action on known and suspected malicious files, you can search and destroy the files from the Cortex XDR management console. After you identify the presence of a malicious file, you can immediately destroy the file from any or all endpoints on which the file exists.
The Cortex XDR agent builds a local database on the endpoint with a list of all the files, including their path, hash, and additional metadata. Depending on the number of files and disk size of each endpoint, it can take a few days for Cortex XDR to complete the initial endpoint scan and to populate the files database. You cannot search an endpoint until the initial scan is complete and all file hashes are calculated.
After the initial scan is complete and the Cortex XDR agent retains a snapshot of the endpoint files inventory, the agent maintains the files database by initiating periodic scans and closely monitoring all actions performed on the files.
You can search for specific files according to the file hash, the file full path, or a partial path using regex parameters from the Action Center or the Query Builder. After you find the file, you can quickly select it in the search results and destroy the file by hash or by path. You can also destroy a file from the Action Center, without performing a search, if you know the path or hash. When you destroy a file by hash, all the file instances on the endpoint are removed.
The Cortex XDR agent does not include the following information in the local files inventory:
- Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.
- Information about files where the file size exceeds the maximum file size for hash calculations that is preconfigured in Cortex XDR.
- If the Agent Settings Profile on the endpoint is configured to monitor common file types only, then the local files inventory includes information about these file types only. You cannot search or destroy file types that are not included in the list of common file types.
The following are prerequisites to enable Cortex XDR to search and destroy files on your endpoints:
Licenses and Add-ons
Setup and Permissions
Search a File
You can search for files on the endpoint by file hash or file path. The search returns all instances of this file on the endpoint. You can then immediately proceed to destroy all the file instances on the endpoint, or upload the file to Cortex XDR for further investigation.
- From the Action Center select.+New ActionFile Search
- Configure the search method:
- To search by hash, enter the file SHA256 value. When you search by hash, you can also search for deleted instances of this file on the endpoint.
- To search by path, enter the specific path for the file on the endpoint or specify the path using wildcards. When you provide a partial path or partial file name using *, the search will return all the results that match the partial expression. Note the following limitations:
- The file path must begin with a drive name, for example:c:\.
- You must specify the exact path folder hierarchy, for examplec:\users\user\file.exe. You must specify the exact path folder hierarchy also when you replace folder names with wildcards, by using a wildcard for each folder in the hierarchy. For example,c:\*\*\file.exe.
- Select the target endpoints.Select the target endpoints on which you want to search for the file. Cortex XDR displays only endpoints eligible for file search. When you’re done, clickNext.
- Review the summary and initiate the search.Cortex XDR displays the summary of the file search action.If you need to change your settings, goBack. If all the details are correct, clickRun. The File search action is added to the Action Center.
- Review the search results.In the Action Center, you can monitor the action progress in real-time and view the search results for all target endpoints. For a detailed view of the results, right-click the action and selectAdditional data. Cortex XDR displays the search criteria, timestamp, and real-time status of the action on the target endpoints. You can:
If not all endpoints in the query scope are connected or the search has not completed, the search action remains in Pending status in the Action Center.
- View results by file (default view)—Cortex XDR displays the first 100 instances of the file from every endpoint. Each search result includes details about the endpoint (such as endpoint status, name, IP address, and operating system) and details about the file instance (such as full file name and path, hash values, and creation and modification dates).
- View the results by endpoint—For each endpoint in the search results, Cortex XDR displays details about the endpoint (such as endpoint status, name, IP address, and operating system), the search action status, and details about the file (whether it exists on the endpoint or not, how many instances of the file exist on the endpoint, and the last time the action was updated).
- (Optional) Destroy a file.After you located the malicious file instances on all your endpoints, proceed to destroyall the file instances on the endpoint. From the search resultsAdditional data, right-click the file to immediatelyDestroy by path,Destroy by hash, orGet fileto upload it to Cortex XDR for further examination.
Destroy a File
When you know a file is malicious, you can destroy all its instances on your endpoints directly from Cortex XDR. You can destroy a file immediately from the File search action result, or initiate a new action from the Action Center. When you destroy a file, the Cortex XDR agent deletes all the file instances on the endpoint.
- To destroy a file from the Action Center wizard:
- From the Action Center select.+New ActionDestroy File
- To destroy by hash, provide the SHA25 of the file. To destroy by path, specify the exact file path and file name. ClickNext.
- Select the target endpoints.Select the target endpoints from which you want to remove the file. Cortex XDR displays only endpoints eligible for file destroy. When you’re done, clickNext.
- Review the summary and initiate the action.Cortex XDR displays the summary of the file destroy action. If you need to change your settings, goBack. If all the details are correct, clickRun. The File destroy action is added to the Action Center.
Recommended For You
Recommended videos not found.