https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400844#M671 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;,</P><P>&nbsp;</P><P>You still have Child Process Protection, Office files with Macros and Ransomware.</P><P>&nbsp;</P><P>I need to point out that active whitelisting is <STRONG>NOT</STRONG> really recommended except for&nbsp;<SPAN>"</SPAN><SPAN>Portable Executable and DLL Examination" as Local Analysis could indeed block legit applications, and it could take WF up to 10-15 minutes to provide a benign verdict.</SPAN></P><P>&nbsp;</P><P><SPAN>The other modules have different kind of protections and I would only recommend whitelisting whenever there is a false positive alert.<BR /><BR />You need to monitor your incidents/alerts and see which modules are blocking your "legit" applications.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Apr 2021 10:08:10 GMT fmoixsante 2021-04-21T10:08:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400835#M670 <P>Hi,</P><P>&nbsp;</P><P>We have been asked to whitelist a specified folder in order to disable any kind of real-time checks and analysis made by Cortex XDR.</P><P>&nbsp;</P><P><SPAN>So, we added the aforementioned folder in the allow lists of "</SPAN><SPAN>Portable Executable and DLL Examination" and "Behavioral Threat Protection" sections</SPAN><SPAN> in "Malware profile" configuration.</SPAN></P><P><SPAN>With this kind of configuration enabled what are Cortex XDR real-time checks that remain active?</SPAN></P> Wed, 21 Apr 2021 09:27:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400835#M670 MCereda 2021-04-21T09:27:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400844#M671 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;,</P><P>&nbsp;</P><P>You still have Child Process Protection, Office files with Macros and Ransomware.</P><P>&nbsp;</P><P>I need to point out that active whitelisting is <STRONG>NOT</STRONG> really recommended except for&nbsp;<SPAN>"</SPAN><SPAN>Portable Executable and DLL Examination" as Local Analysis could indeed block legit applications, and it could take WF up to 10-15 minutes to provide a benign verdict.</SPAN></P><P>&nbsp;</P><P><SPAN>The other modules have different kind of protections and I would only recommend whitelisting whenever there is a false positive alert.<BR /><BR />You need to monitor your incidents/alerts and see which modules are blocking your "legit" applications.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Apr 2021 10:08:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400844#M671 fmoixsante 2021-04-21T10:08:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400884#M674 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/64736">@fmoixsante</a>,</P><P>thank you for the answer.</P><P>&nbsp;</P><P><SPAN>As we have been asked us to temporarily disable any kind of real-time checks and analysis made by Cortex XDR on a specified folder in order to test a performance issue, do you know how to completely disable Cortex XDR features for a single folder?</SPAN></P> Wed, 21 Apr 2021 12:03:38 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400884#M674 MCereda 2021-04-21T12:03:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400888#M676 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;,</P><P>&nbsp;</P><P>You can whitelist folders for almost every malware module, except for Ransomware and&nbsp;Password Theft Protection.</P><P>&nbsp;</P><P>For the Exploit module, disabling protections for a single folder is not supported as far as I know. As of now, there is no way to do that directly from the Exploit module. I would suggest contacting TAC and ask them if a Support Exception (SUEX) would be able to achieve what you want to do.</P> Wed, 21 Apr 2021 12:09:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-whitelisting/m-p/400888#M676 fmoixsante 2021-04-21T12:09:18Z