Locating Periodic Scan Logs and Tracking Scan Duration

Locating Periodic Scan Logs and Tracking Scan Duration

12831
Created On 08/17/21 21:46 PM - Last Modified 05/03/24 17:32 PM


Symptom


Periodic scans can be configured on the agent, but the Cortex XDR console only shows logs of scans that were manually triggered.

Environment


  • Cortex XDR 
  • Cortex XSIAM

Resolution


  1. The agent stores logs of the periodic scan under the C:\ProgramData\Cyvera\Scan\<folder>\ directory.
  2. Use the date of the folder creation to find when the scan was performed.
  3. An an example of the log that would be generated is shown below. Note that the log displays start time, finish time and also suspicious files that are found.
  
--------------------------------------------------
<TRAPS build="31675" major="7" minor="4" revision="1">
    <ScanReport id="27241e84-25f5-43e8-b86b-cf0a7292b51b">
        <Summary>
            <Scope>Full</Scope>
            <Trigger>Periodic</Trigger>
            <ScanStatus errorCode="0" errorDescription="">Success</ScanStatus>
            <StartTime>2021-08-11T15:03:14.279Z</StartTime>
            <FinishTime>2021-08-11T16:03:46.340Z</FinishTime>
            <TotalFiles>449408</TotalFiles>
            <SuspiciousFiles>4</SuspiciousFiles>
            <FailedFiles>0</FailedFiles>
        </Summary>
        <Configuration>
            <IncludePaths>
                <Path>C:\</Path>
                <Path>\\.\GLOBALROOT\Device\HarddiskVolume2\</Path>
            </IncludePaths>
            <ExcludePaths>
                <Path>\\.\Volume{????????-????-????-????-????????????}\System Volume Information</Path>
                <Path>*:\System Volume Information</Path>
            </ExcludePaths>
        </Configuration>
        <SuspiciousFiles>
            <File path="C:\Users\user1\Desktop\erik.xls" securityEventId="46EE821B-6420-4EEE-BE31-BCEB6EC45AF9"/>
            <File path="C:\Users\user1\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000bc" securityEventId="6F80C944-B7E4-4428-A56A-76055EC7D16B"/>
            <File path="C:\Users\user1\Downloads\wildfire-test-pe-file (1).exe" securityEventId="BC859C46-B2DB-4EEC-A41D-91C21731C7BD"/>
            <File path="C:\Users\user1\Downloads\wildfire-test-pe-file.exe" securityEventId="E98144A9-5D86-467D-8A1F-02C3ACD29871"/>
        </SuspiciousFiles>
        <FailedFiles/>
    </ScanReport>
</TRAPS>

--------------------------------------------------

Additional Information


https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Scan-an-Endpoint-for-Malware
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Le1CAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language