Prisma Compute : Alert - <path> launched and is detected as an altered or corrupted package binary
802
Created On 04/18/23 07:16 AM - Last Modified 02/05/25 17:55 PM
Symptom
Alert similar to the one shown below is seen on the Prisma Cloud Compute Console.
/usr/bin/ls launched and is detected as an altered or corrupted package binary. The file metadata doesn't match what's reported by the package manager.
Environment
- Prisma Cloud Compute Edition
- Prisma Cloud Enterprise Edition (SaaS)
- Prisma Cloud Runtime Security
Cause
1. When the image is scanned the size of the binary files reported by the Package Manager of the Image is then compared to the actual sizes of the binary files.
2. If discrepancy in the size is found, then the file is marked with the boolean field "altered=true".
3. When the Binary is executed and if the boolean field shown above is set to true then the alert is generated.
The same can be found on the binaries section of HAR file collected when accessing the vulnerability report of the particular image..
Resolution
1. The binary reported will have to be investigated to see if the binary is actually malicious.
2. Check if the binary is being altered during the image build process and ask the image development team to confirm if the change has been validated to be correct and trusted.
3. The path can then be allow-listed on the Runtime rule to ignore as needed by customer.
Note : Palo Alto Networks does not recommend allow-listing and it is important that the binary file is investigated before deciding to allow-list it.