XDR Allow-Listing signed processes

M.Crow — Wed, 19 Nov 2025 15:39:41 GMT

We have internally developed scripts that we would like to create XDR exclusions or alert level reduction for based on if they contain code signing certificates. I don't know how to go about doing this or if it's even possible.

The idea here is to not need to update exclusions based on hashes any time the scripts are changed and to be more secure than filepath based exclusions.

Thanks in advance!

Re: XDR Allow-Listing signed processes

susekar — Tue, 06 Jan 2026 20:18:04 GMT

Hello @M.Crow ,

Greetings for the day!

Yes, it is possible to create exclusions and reduce alert levels in Cortex XDR based on digital code signing certificates. This approach allows you to trust internally developed tools without relying on fluctuating file hashes or broad path-based exclusions.

There are three primary methods to achieve this, depending on which protection module is flagging your scripts:

1. Whitelisting Signers in Malware Security Profiles

This is the most direct way to prevent the Portable Executable (PE) and DLL Examination and Digital Signer Restriction modules from blocking your signed files.
* Module Scope: This primarily applies to compiled executables (.exe) and DLLs.
* Procedure:
1. Identify the exact Trusted Signer Name from the alert details or file properties on the endpoint.
2. In the Cortex XDR console, navigate to Endpoints > Policy Management > Prevention Profiles > Malware.
3. Edit your active Malware profile.
4. Under Portable Executable and DLL Examination, find the ALLOW LIST SIGNERS section and click + ADD.
5. Enter the exact signer name and save the profile.

2. Disabling Prevention Rules (DPR) by Signer

For alerts triggered by Behavioral Threat Protection (BTP) or specific Exploit modules, you can create a "Disable Prevention Rule" to allow the activity based on the signer.
* Granular Control: You can target specific rules (like a specific BTP rule) and exclude them only when the signer matches.
* Procedure:
1. Navigate to Settings > Exception Configuration > Disable Prevention Rule.
2. Click Add Rule.
3. In the Scope, select the module or specific rule ID causing the block.
4. In the Target Properties, select Signer and enter the name of your internal certificate.

3. Alert Level Reduction (Alert Exclusions)

If you want the scripts to run but simply wish to suppress or hide the alerts in the management console (reducing "noise"), you can use Alert Exclusions.
* Procedure:
1. Navigate to Settings > Exception Configuration > Alert Exclusions.
2. Create a rule where the Signer property matches your certificate.
3. This will hide future matching alerts from the Alert Table and prevent them from generating incidents, while still allowing the agent to monitor the activity.

Important Considerations for Scripts

PE vs. Raw Scripts: Most "Signer" allow list features in Malware profiles are designed for Portable Executables (PE). There are internal indications that Cortex XDR may not parse digital signatures for raw PowerShell (.ps1) scripts in the same way it does for binaries.
BTP Exclusions: For raw scripts, the most effective method is often creating a Behavioral Threat Protection Exclusion using the script's signer information if the script is being flagged for its behavior.
Best Practice: Moving scripts to a dedicated "safe" directory and then using a combination of path and signer-based exclusions is recommended to minimize risk.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New year!!

Thanks & Regards,
S. Subashkar Sekar

Re: XDR Allow-Listing signed processes

M.Crow — Wed, 07 Jan 2026 16:33:58 GMT

This is wonderfully helpful, thank you!

topic Re: XDR Allow-Listing signed processes in Cortex XDR Discussions

XDR Allow-Listing signed processes

Re: XDR Allow-Listing signed processes

1. Whitelisting Signers in Malware Security Profiles

2. Disabling Prevention Rules (DPR) by Signer

3. Alert Level Reduction (Alert Exclusions)

Important Considerations for Scripts

Re: XDR Allow-Listing signed processes