XDR Legacy Agent Exception's behavior

C.Seokgun — Tue, 11 Nov 2025 00:08:23 GMT

Hi,

We have confirmed through the official manual that XDR does not perform evaluation on files or paths allowed under XDR Legacy Agent Exception.
What I would like to know is whether files covered by a Legacy Agent Exception policy also do not generate alerts.
I would also like to confirm if this behavior is explicitly stated in the official documentation.

Currently, we have observed that even after configuring Alert Exclusions, alerts of the same type continue to appear.
While we could add additional Alert Exclusions, our goal is to use Legacy Agent Exception for items that should be clearly allowed, in order to reduce unnecessary alert counts.

Questions:

Do files/paths configured under a Legacy Agent Exception also prevent alert generation?
Is this behavior officially documented?

Thank you.

Re: XDR Legacy Agent Exception's behavior

susekar — Wed, 07 Jan 2026 15:47:01 GMT

Hello @C.Seokgun ,

Greeting for the day.

Whether a Legacy Agent Exception prevents alert generation depends on the specific protection module for which the exception is configured.

1. Do Legacy Agent Exceptions prevent alert generation?

The behavior varies by module:
* Malware Evaluation Modules (e.g., Portable Executable and DLL Examination, Endpoint Scanning): Configuring a Legacy Agent Exception for these modules generally instructs the agent to skip evaluation entirely. In these cases, the exception does prevent both the blocking action and the generation of an alert in the console.
* Behavioral Threat Protection (BTP) and Credential Gathering Protection (DSE): Adding a process or path to the Legacy Agent Exception list for these modules will stop the agent from terminating or blocking the process, but it will not prevent alert generation. Instead, the console will continue to display "Detected (Reported)" alerts to indicate that a potential threat was identified but permitted due to the exception. To fully suppress these alerts, you must create a specific Alert Exception (or Alert Exclusion).

2. Is this behavior officially documented?

Yes, this behavior is explicitly mentioned in official documentation and internal Knowledge Base articles for various modules:
* For the Office Files with Macros Examination module, the manual states: "Adding a process to the allow list doesn’t prevent the generation of a security event".
* General Malware Security Profile documentation notes: "Processes on the allow list will not be terminated by the agent when they are part of a malicious causality chain. Alerts will be triggered regardless".

Additional Recommendations

Operational Agent Exception: If your goal is to completely exclude a process or path from all monitoring and intervention (available for Windows agents 8.7+), you should use an Operational Agent Exception. This broad exception disables major Endpoint Protection Modules (EPMs), anti-malware triggers, and most event collection for the specified item, effectively preventing alerts across the board.
Alert Exclusion Issues: You mentioned that alerts continue to appear even after configuring Alert Exclusions. This typically occurs if the exclusion criteria (such as the exact process path, command line, or signer) do not perfectly match the data in the generated alert. It is recommended to create the exclusion directly from the alert itself by right-clicking the alert and selecting Manage Alert > Create Alert Exception to ensure matching accuracy.

Exception configuration:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Exception-configuration

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VeHCAU

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New Year!!