https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-execution-of-specific-applications-regardless-of-location/m-p/1236347#M8676 <P>Hi again <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1452178617">@J.Lopes154290</a>&nbsp;,&nbsp;</P> <P>There is something else you can do.&nbsp;</P> <P>&nbsp;</P> <P>You can block the remote access software by signer. The cons are that if this software vendor, develops other software that is not for remote access you are blocking it too.&nbsp;</P> <P>&nbsp;</P> <P>Create a BIOC just adding the signer you want to block (TeamViewer, etc... whatever you want), then you can test it if you want to make sure it works as expected.</P> <P>&nbsp;</P> <P>At this point BIOC is just alerting, not blocking anything</P> <P>&nbsp;</P> <P>To block: right clicking on the BIOC you can add it to a restriction profile. This will send the BIOC to the agents under that policy rule and will start blocking that signer, any software from that signer.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Wed, 20 Aug 2025 14:01:06 GMT eluis 2025-08-20T14:01:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-execution-of-specific-applications-regardless-of-location/m-p/1236176#M8667 <P>I want to prevent the execution of anydesk.exe, choco.exe, and cloudflared.exe. However, I went to the Prevention Policy Rules and created restrictions for applications, but it only allows blocking in specific locations, so that doesn't meet my needs. I want these applications to be blocked whenever they are detected anywhere in the system.</P> <P>&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Mon, 18 Aug 2025 16:06:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-execution-of-specific-applications-regardless-of-location/m-p/1236176#M8667 J.Lopes154290 2025-08-18T16:06:27Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-execution-of-specific-applications-regardless-of-location/m-p/1236255#M8674 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1452178617">@J.Lopes154290</a>&nbsp;</P> <P>&nbsp;</P> <P>To block executions in your use case you can do several things:&nbsp;</P> <OL> <LI>Block hashes (one by one): going to action center and click on add new action and block list. Bear in mind that changes here will take effect on agents after the next check-in of the agent</LI> <LI>Block hashes (bulk number of hashes from file import): going to action center and click on Import Hash Exceptions.<BR />Check the video on how to do it:&nbsp;<A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-import-file-hash-exceptions/ta-p/503616" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-import-file-hash-exceptions/ta-p/503616</A></LI> <LI>Add a restriction profile and play with the wildcards to implement your use case:<BR /><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Set-up-restrictions-prevention-profiles#" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Set-up-restrictions-prevention-profiles#</A></LI> </OL> <P>Realize that hashes can change if files are updated for example new versions of the same sofware are uploaded.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Tue, 19 Aug 2025 18:49:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-execution-of-specific-applications-regardless-of-location/m-p/1236255#M8674 eluis 2025-08-19T18:49:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-execution-of-specific-applications-regardless-of-location/m-p/1236347#M8676 <P>Hi again <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1452178617">@J.Lopes154290</a>&nbsp;,&nbsp;</P> <P>There is something else you can do.&nbsp;</P> <P>&nbsp;</P> <P>You can block the remote access software by signer. The cons are that if this software vendor, develops other software that is not for remote access you are blocking it too.&nbsp;</P> <P>&nbsp;</P> <P>Create a BIOC just adding the signer you want to block (TeamViewer, etc... whatever you want), then you can test it if you want to make sure it works as expected.</P> <P>&nbsp;</P> <P>At this point BIOC is just alerting, not blocking anything</P> <P>&nbsp;</P> <P>To block: right clicking on the BIOC you can add it to a restriction profile. This will send the BIOC to the agents under that policy rule and will start blocking that signer, any software from that signer.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Wed, 20 Aug 2025 14:01:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-execution-of-specific-applications-regardless-of-location/m-p/1236347#M8676 eluis 2025-08-20T14:01:06Z