topic XDR 7.6.1 seems to ignore exception in Cortex XDR Discussions

XDR 7.6.1 seems to ignore exception

Faber — Tue, 25 Jan 2022 09:33:11 GMT

Hi, Cortex XDR Local Analysis Malware module stops a process called "ClientConsole.exe" (I guess it's a false positive)

I've created a global exception for that issue and checked-in client but XDR still blocks this executable.

In client log I read these rows:

2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'

Why XDR ignores my exceptions ????

Re: XDR 7.6.1 seems to ignore exception

jtalton — Fri, 10 Jun 2022 20:46:56 GMT

Hi Faber,

This may be due to this process not being protected by a module. By default, your exploit security profile protects endpoints from attack techniques that target specific processes. Each exploit protection capability protects a different set of processes that Palo Alto Networks researchers determine are susceptible to attack. If there are no protection modules enabled on the process, no is exception needed. Please reference Processes Protected by Exploit Security Policy (paloaltonetworks.com) for more details.

There are other modules where Process Exceptions will still apply, like Anti-Ransomware Protection, Child Process Protection, but for all Exploit Prevention Modules the process exception makes no difference for an unprotected process.

If you're investigation has determined the process is benign, you can add the hash to the Allow List (*best practice is to whitelist by hash) and allow it to be executed on all your endpoints regardless of the WildFire or local analysis verdict.

In the UI, Go to Incident Response, Response, Action Center, + New Action

Enter the SHA-256 hash of the file and click

You can add up to 100 hashes at once.
Click Next.
Review the summary and click Done.

Reference Manage File Execution (paloaltonetworks.com)

Thanks

Re: XDR 7.6.1 seems to ignore exception

D.Shymanskyi — Fri, 02 May 2025 09:35:01 GMT

А якщо інцидент генерується модулем "Local Analise", а програма яка генерує це, створює що разу нові файли з новими хеш-сумами?

Яким чином можна добавити у виключення?
Бо за шляхом папки яка добавлена у виключення звідки генеруються файли, XDR всерівно блокує.