Search and Destroy Malicious Files
To take immediate action on known and suspected
malicious files, you can now search and destroy the files from the
Cortex XDR management console. After you identify the presence of
the file, you can immediately destroy the file from any or all endpoints
on which the file exists.
The Cortex XDR agent builds a local
database on the endpoint with a list of all the files, including
their path, hash, and additional metadata. Depending on the number
of files and disk size of each endpoint, it can take a few days
for Cortex XDR to complete the initial endpoint scan and to populate
the files database. You cannot search an endpoint until the initial
scan is complete and all file hashes are calculated. After the initial
scan is complete and the Cortex XDR agent retains a snapshot of
the endpoint files inventory, the agent maintains the files database
by initiating periodic scans and closely monitoring all actions
performed on the files.
You can search for specific files
according to the file hash, the file full path, or a partial path
using regex parameters from the Action Center or the Query Builder.
After you find the file, you can quickly select it in the search
results and destroy the file by hash or by path. You can also destroy
a file from the Action Center, without performing a search, if you
know the path or hash. When you destroy a file by hash, all the
file instances on the endpoint are removed.
The Cortex XDR agent does
not include in the local files inventory the following:
- Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.
- Information about files where the file size exceeds the maximum file size for hash calculations that is preconfigured in Cortex XDR.
- If the Agent Settings Profile on the endpoint is configured to monitor common file types only, then the local files inventory includes information about these file types only. You cannot search or destroy file types that are not included in the list of common file types.
The
following are prerequisites to enable Cortex XDR to search and destroy
files on your endpoints:
Requirement | Description |
---|---|
Licenses and Add-ons |
|
Supported Platforms |
|
Setup and Permissions |
|
Search a File
You can search for files on the endpoint by
file hash or file path. The search returns all instances of this
file on the endpoint. You can then immediately proceed to destroy
all the file instances on the endpoint, or upload the file to Cortex
XDR for further investigation.
- To search for a file from the Query Builder, create a query using Native Search for Finding Files.
- To search for a file from the Action Center wizard:
- From the Action Center select.+New ActionFile Search
- Configure the search method:
- To search by hash, enter the file SHA256 value. When you search by hash, you can also search for deleted instances of this file on the endpoint.
- To search by path, enter the specific path for the file on the endpoint or specify the path using wildcards. When you provide a partial path or partial file name using *, the search will return all the results that match the partial expression. Note the following limitations:
- The file path must begin with a drive name, for example:c:\.
- You must specify the exact path folder hierarchy, for examplec:\users\user\file.exe. You must specify the exact path folder hierarchy also when you replace folder names with wildcards, by using a wildcard for each folder in the hierarchy. For example,c:\*\*\file.exe.
ClickNext. - Select the target endpoints.Select the target endpoints on which you want to search for the file. Cortex XDR displays only endpoints eligible for file search. When you’re done, clickNext.
- Review the summary and initiate the search.Cortex XDR displays the summary of the file search action.If you need to change your settings, goBack. If all the details are correct, clickRun. The File search action is added to the Action Center.
- Review the search results.In the Action Center, you can monitor the action progress in real-time and view the search results for all target endpoints. For a detailed view of the results, right-click the action and selectAdditional data. Cortex XDR displays the search criteria, timestamp, and real-time status of the action on the target endpoints. You can:
- View results by file (default view)—Cortex XDR displays the first 100 instances of the file from every endpoint. Each search result includes details about the endpoint (such as endpoint status, name, IP address, and operating system) and details about the file instance (such as full file name and path, hash values, and creation and modification dates).
- View the results by endpoint—For each endpoint in the search results, Cortex XDR displays details about the endpoint (such as endpoint status, name, IP address, and operating system), the search action status, and details about the file (whether it exists on the endpoint or not, how many instances of the file exist on the endpoint, and the last time the action was updated).
If not all endpoints in the query scope are connected or the search has not completed, the search action remains in Pending status in the Action Center. - (Optional) Destroy a file.After you located the malicious file instances on all your endpoints, proceed to destroyall the file instances on the endpoint. From the search resultsAdditional data, right-click the file to immediatelyDestroy by path,Destroy by hash, orGet fileto upload it to Cortex XDR for further examination.
Destroy a File
When you know a file is malicious, you can
destroy all its instances on your endpoints directly from Cortex
XDR. You can destroy a file immediately from the File search action result,
or initiate a new action from the Action Center. When you destroy
a file, the Cortex XDR agent deletes all the file instances on the
endpoint.
- To destroy a file from the file search results, refer to Step 6 above.
- To destroy a file from the Action Center wizard:
- From the Action Center select.+New ActionDestroy File
- To destroy by hash, provide the SHA25 of the file. To destroy by path, specify the exact file path and file name. ClickNext.
- Select the target endpoints.Select the target endpoints from which you want to remove the file. Cortex XDR displays only endpoints eligible for file destroy. When you’re done, clickNext.
- Review the summary and initiate the action.Cortex XDR displays the summary of the file destroy action. If you need to change your settings, goBack. If all the details are correct, clickRun. The File destroy action is added to the Action Center.
Recommended For You
Recommended Videos
Recommended videos not found.