topic Re: XDR on-write exclusions in Cortex XDR Discussions

XDR on-write exclusions

tlmarques — Thu, 07 Mar 2024 14:33:51 GMT

Hi,

Is it possible to exclude certain executables and their hashes from on-write protection on ??

Re: XDR on-write exclusions

jmazzeo — Thu, 07 Mar 2024 17:47:23 GMT

Hi @tlmarques, thanks for reaching us using the Live Community.

There is no possibility to create an exclusion for the On-Write protection itself. This module detects when a new file is writed on disk, and then starts the usual file analysis flow:

Then you have two options:

If a file is blocked and you need to allow it, check which module is blocking it and then create the exception for that module under Settings - Exceptions Configuration.
Create an Administrative Hash exception, going to Settings - Exceptions Configuration - Disable Prevention Rules, and adding a new rule with the file hash and selecting "Hash Control" as the module.

Please let me know how it goes.

If this post answers your question, please mark it as the solution.

Re: XDR on-write exclusions

tlmarques — Mon, 11 Mar 2024 11:55:43 GMT

@jmazzeo how i can check which module is blocking ??

Re: XDR on-write exclusions

P.Ghule — Mon, 18 Nov 2024 05:00:40 GMT

You can check in causality chain. Information Overview

Re: XDR on-write exclusions

jmazzeo — Tue, 19 Nov 2024 17:10:45 GMT

Looks like I missed this reply...

You can do it as @P.Ghule mentions, or by adding the "Module" column in the Alerts View.