https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-exclusion-and-add-to-allow-list-cortex-xdr/m-p/348808#M285 <P>Hello,</P><P>&nbsp;</P><P>It depends on what you want to do. If the verdict from WF / Local Analysis was benign, the file should've been allowed to run on the endpoint. Please verify that first - was the file allowed to run, or did Cortex prevent it?<BR /><BR />1. If the file was allowed to run it means that some BIOC rule probably triggered the detection due to Macro-enabled Excel document. In this case what you want to do is create an <STRONG>Exclusion</STRONG>. Exclusions basically hide the alerts that contain such criteria that you define in Exclusion.</P><P>&nbsp;</P><P>2. If the file was actually prevented, then you would need to find out which Security profile caused the prevention (Ransomware protection, Malware Protection,..). In this case, it is is probably <STRONG>Anti-Malware protection profile</STRONG>. Edit it and locate the section with <STRONG>Office Files with Macros Examination</STRONG>. In this section you are able to add Files / Folders to Allow List, where you would add this file.</P><P>&nbsp;</P><P>Hope this helps.</P><P><BR />Best,</P><P>D</P> Sun, 13 Sep 2020 14:56:50 GMT DKasabji 2020-09-13T14:56:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-exclusion-and-add-to-allow-list-cortex-xdr/m-p/347666#M278 <P>good day community,</P><P>I have an incident due to the execution of an excel file that contains macros.</P><P>According to the verdict and its hash the file is not a threat.</P><P>My question is the following which is the most suitable method to allow the execution of said file?</P><P>In the incident analysis window, right click on the allow list process or generate an exclusion? what is the difference?</P><P>&nbsp;</P><P>Best regards</P> Tue, 08 Sep 2020 19:32:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-exclusion-and-add-to-allow-list-cortex-xdr/m-p/347666#M278 marcelocampos 2020-09-08T19:32:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-exclusion-and-add-to-allow-list-cortex-xdr/m-p/348808#M285 <P>Hello,</P><P>&nbsp;</P><P>It depends on what you want to do. If the verdict from WF / Local Analysis was benign, the file should've been allowed to run on the endpoint. Please verify that first - was the file allowed to run, or did Cortex prevent it?<BR /><BR />1. If the file was allowed to run it means that some BIOC rule probably triggered the detection due to Macro-enabled Excel document. In this case what you want to do is create an <STRONG>Exclusion</STRONG>. Exclusions basically hide the alerts that contain such criteria that you define in Exclusion.</P><P>&nbsp;</P><P>2. If the file was actually prevented, then you would need to find out which Security profile caused the prevention (Ransomware protection, Malware Protection,..). In this case, it is is probably <STRONG>Anti-Malware protection profile</STRONG>. Edit it and locate the section with <STRONG>Office Files with Macros Examination</STRONG>. In this section you are able to add Files / Folders to Allow List, where you would add this file.</P><P>&nbsp;</P><P>Hope this helps.</P><P><BR />Best,</P><P>D</P> Sun, 13 Sep 2020 14:56:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/difference-between-exclusion-and-add-to-allow-list-cortex-xdr/m-p/348808#M285 DKasabji 2020-09-13T14:56:50Z