topic Re: Exclude single .exe on single endpoint in Cortex XDR Discussions

Exclude single .exe on single endpoint

cemcga — Wed, 11 Jan 2023 13:53:14 GMT

Pretty simple need here....

Installing the latest version of WSUS Automated Maintenance from AJ Tek on our WSUS server and Cortex is blocking it with the description "Suspicious executable detected". How do I allow this to install? Is the best way to temporarily pause protection on the endpoint, install the software and then re-enable protection?

Re: Exclude single .exe on single endpoint

P.Jacob — Wed, 11 Jan 2023 14:38:49 GMT

I think can depend how your environment is setup. you potentially could use the "report verdict as incorrect" in the incident... or could whitelist the hash... now if your setup to not allow unsigned app and that is unsigned that would be different. sorry for being slightly vague but some of this depends on your environment.

Re: Exclude single .exe on single endpoint

mavraham — Wed, 11 Jan 2023 19:05:53 GMT

Hi @cemcga

As suggested above, you can add files hashes to your allow list. Adding files to the block list or allow list takes precedence of any other policy rules that may have otherwise been applied to these files.

In order to add file hashes to your allow-lists:

Go to Incident Response → Response → Action Center → + New Action.
Select Add to Allow List.
Enter the SHA-256 hash of the file.

You can read more about managing file execution here.

If this helped, please click Accept as Solution!

Re: Exclude single .exe on single endpoint

cemcga — Thu, 12 Jan 2023 15:27:40 GMT

Thanks for this. To make sure I understand, this would allow the file to be executed on any endpoint, not just the one server, correct?

Re: Exclude single .exe on single endpoint

mavraham — Thu, 12 Jan 2023 15:41:27 GMT

Yes, you are correct.

Re: Exclude single .exe on single endpoint

bbarmanroy — Fri, 13 Jan 2023 02:05:19 GMT

You can add the exception to an endpoint by creating a new Malware security profile, add the file to the PE and DLL Examination Allow List (Step 3c) and assigning it to the endpoint.

Re: Exclude single .exe on single endpoint

aleksandar.astardzhiev — Tue, 17 Jan 2023 09:14:58 GMT

Hi @cemcga ,

Let me jump in and clarify @P.Jacob reply:

- Report incorrect verdict is applicable only if the prevention is triggered by the WildFire. If Wildfire verdict is unknown at the time of the execution (or WF is unreachable) XDR agent will perform static analysis, called Local Analysis. Local Analysis is using machine learning models to search for suspicious behavior in the exe. It is very common for local analysis to trigger false positive for legitimate file.

- If the execution is blocked by Local Analysis, reporting verdict to WF is not applicable here. As @P.Jacob mentioned the solution in this case it to add the file hash to the allow list.

In my humble opinion - if you absolutely trust this file and want execute it on a machine, then it should be safe to allow this file hash globally. So the easiest way would be to add it to the allow list, wait for the xdr agent to check-in (to get the update from the cloud console).