topic Re: Cortex XDR-File hash Allow/Block on specific endpoint in Cortex XDR Discussions

Cortex XDR-File hash Allow/Block on specific endpoint

RahulPrajapati — Fri, 21 Jan 2022 04:32:16 GMT

Hi everyone,

Can we allow/block the file hash for a particular endpoint instead of allowing/blocking the file hash on all the endpoints?

Regards

Re: Cortex XDR-File hash Allow/Block on specific endpoint

bbarmanroy — Fri, 21 Jan 2022 06:10:48 GMT

Hi @RahulPrajapati you can use a Malware profile to key in a file path (see Step 3, substep 3 here).

Alternately, you can also look at using Exception Profile for specific modules that you want the process to be exempted from (Step 3 here).

Re: Cortex XDR-File hash Allow/Block on specific endpoint

RahulPrajapati — Fri, 21 Jan 2022 06:31:57 GMT

Hi @bbarmanroy ,

But this will allow/block the file on all endpoints on which this profile is applied right? But I want to allow/block the file for specific endpoint not all endpoints

Regards

Re: Cortex XDR-File hash Allow/Block on specific endpoint

bbarmanroy — Fri, 21 Jan 2022 07:44:48 GMT

@RahulPrajapati yes. Please create a new profile and apply it to a single endpoint/set of endpoints/static or dynamic groups as per your prevention policies.

Re: Cortex XDR-File hash Allow/Block on specific endpoint

MithunKT — Mon, 25 Jul 2022 10:31:58 GMT

Hi @bbarmanroy ,

Even I'm having the similar requirement to allow hash for specific endpoints.

But as per my observation, the Malware profile allows only to add files/folders/trusted signers into allow list. I don't see any fields where I can add hashes.

We have a scenario here where we need to allow the execution of a particular internal tool that has no signers and can be found in different file paths with different end users. Therefore I can whitelist neither trusted signers nor files/folders. I need to allow the only hash to this specific group of people. Unfortunately, that option is unavailable.

Thanks!!

Re: Cortex XDR-File hash Allow/Block on specific endpoint

palomike — Wed, 21 Dec 2022 20:05:25 GMT

@bbarmanroy, why is this marked with an accepted answer?

Cortex XDR allows whitelisting hashes globally, not on specific endpoints or groups. The subject of this (Cortex XDR-File hash Allow/Block on specific endpoint) is not solved.

I require whitelisting on a per-group basis as well; this seems like a pretty basic and fundamental feature. Allowing only globally whitelisted SHA256 hashes puts other groups at risk unnecessarily, when only a single isolated group or device requires the whitelisted hash.

@MithunKT correctly states that Malware profiles or Legacy Agent Exceptions only provide files/folders/trusted signers.