topic Re: Potentially Dangerous Tool Alert in Cortex XDR Discussions

Potentially Dangerous Tool Alert

aholdt — Mon, 15 Apr 2024 08:18:38 GMT

Hi

Cortex has started blocking a legitimate tool we use: certify.exe, which is part of Certify The Web, that we use to automate certificate renewal from Lets Encrypt.

I have not seen this before. Is there anyway to whitelist this tool?
The precise alert name is: "Potentially Dangerous Tool - 1827272396", but googling this does not give me much.

Re: Potentially Dangerous Tool Alert

nsinghvirk — Mon, 15 Apr 2024 16:42:07 GMT

Hello @aholdt

Thanks for reaching out on LiveCommunity!

If after analysis you have found the tool is safe and legitimate then you can create an exception for it. But while creating exception make sure to create a very granular exception. Firstly you need to identify the security module that has blocked the tool, to do that please check the "Module" field in alerts table. Once you have the module then you can create a legacy exception based on software name and location. Also you can target this exception to particular profile which applies to group of endpoints on which you are going to use this tool.

Reference- https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-a-Legacy-Exception-Rule

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Re: Potentially Dangerous Tool Alert

aholdt — Tue, 16 Apr 2024 12:09:51 GMT

This seems to do the trick. Thank you for your help.