https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523981#M3253 <P><SPAN>Yes, you can whitelist the file hash by going into Incident Response → Action Center → New Action – Add to allow list.</SPAN><SPAN><BR /></SPAN><SPAN>Please note that once the file changes (via updates for example) you will need to whitelist the new hash again.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>If you know the signature of your verified software, you can also add the singer as a trusted signer when creating a new malware profile (the page I recommended in the above response).</SPAN><SPAN><BR /></SPAN><SPAN><BR /><BR /></SPAN></P> <P>&nbsp;</P> Tue, 13 Dec 2022 16:51:14 GMT mavraham 2022-12-13T16:51:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523846#M3246 <P>Hello,&nbsp;</P> <P>We are running periodic scan on all endpoints . During this scan few files has been detected .We have&nbsp; got confirmation that some of the files are legitimate and it's being used in infra.&nbsp;</P> <P>Can you please suggest in providing what is the best method to whitelist the safe and confirmed files .&nbsp;</P> Mon, 12 Dec 2022 19:47:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523846#M3246 Shashanksinha 2022-12-12T19:47:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523858#M3248 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/203123">@Shashanksinha</a>,<BR /><BR />Thank you for writing to Live Community.<BR /><BR />You would need to&nbsp;<SPAN>can create a malware profile and exclude specific files from scans.&nbsp;</SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Nw2CAE&amp;lang=en_US%E2%80%A9" target="_self">This page</A>&nbsp;should guide you how to proceed.</P> Mon, 12 Dec 2022 21:59:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523858#M3248 mavraham 2022-12-12T21:59:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523908#M3251 <P>Hello,</P> <P>&nbsp;</P> <P>Thanks for your response.</P> <P><SPAN>As you mentioned to create malware profile and exclude specific files from scans, as&nbsp;we have multiple files present in different folders so it will be difficult to add every path with *. If we whitelist the file hash does this exclude from scans?</SPAN></P> Tue, 13 Dec 2022 11:46:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523908#M3251 RamyashreeMada 2022-12-13T11:46:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523981#M3253 <P><SPAN>Yes, you can whitelist the file hash by going into Incident Response → Action Center → New Action – Add to allow list.</SPAN><SPAN><BR /></SPAN><SPAN>Please note that once the file changes (via updates for example) you will need to whitelist the new hash again.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>If you know the signature of your verified software, you can also add the singer as a trusted signer when creating a new malware profile (the page I recommended in the above response).</SPAN><SPAN><BR /></SPAN><SPAN><BR /><BR /></SPAN></P> <P>&nbsp;</P> Tue, 13 Dec 2022 16:51:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/523981#M3253 mavraham 2022-12-13T16:51:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/524058#M3259 <P>Hello,</P> <P>Thanks for responding.</P> <P>If we add the hash of the file in allow list .So does alerts/incidents excludes in the malware scan. .&nbsp;</P> <P>As we are observing incidents/alerts for the files despite being in allow list.&nbsp;</P> <P>&nbsp;</P> Wed, 14 Dec 2022 09:03:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/524058#M3259 Shashanksinha 2022-12-14T09:03:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/524085#M3260 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/203123">@Shashanksinha</a>,<BR /><BR />Please note that adding file hash to the allowlist will <SPAN>bypass the verdict of WF or local analysis, it will not prevent alerts generated by BTP rules, and alerts can still be triggered by child processes&nbsp;.<BR /><BR />In case your alerts are triggered&nbsp;by BTP rules, you can&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-a-Global-Endpoint-Policy-Exception" target="_self">add a Global Behavioral Threat Protection (BTP) Rule Exception.</A><BR /><BR /><BR /><BR /><BR /><BR /><BR /></SPAN></P> Wed, 14 Dec 2022 12:10:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/whitelisting-of-files/m-p/524085#M3260 mavraham 2022-12-14T12:10:37Z