topic Re: Does adding legit windows binary hash to the allow list increase load on the XDR agent? in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-adding-legit-windows-binary-hash-to-the-allow-list-increase/m-p/1245921#M9016 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1523781643">@Abhishemh</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day!</P> <P>&nbsp;</P> <P>Adding a legitimate Windows binary hash to the<SPAN>&nbsp;</SPAN><STRONG>Allow List</STRONG><SPAN>&nbsp;</SPAN>does not increase the load on the Cortex XDR agent; in fact, it is a recommended method to<SPAN>&nbsp;</SPAN><STRONG>decrease</STRONG><SPAN>&nbsp;</SPAN>agent resource consumption and mitigate CPU spikes.</P> <H3>How the Allow List Impacts Agent Performance</H3> <P>When a file hash is added to the Allow List, it is synchronized to the endpoint and stored in a local database called<SPAN>&nbsp;</SPAN><CODE>hash_overrides.db</CODE>.</P> <P>&nbsp;</P> <UL> <LI><STRONG>Bypassing Intensive Scans:</STRONG><SPAN>&nbsp;</SPAN>When the agent encounters a binary that is on the allow list, it identifies the "Benign" override and explicitly<SPAN>&nbsp;</SPAN><STRONG>skips</STRONG><SPAN>&nbsp;</SPAN>intensive security flows, including<SPAN>&nbsp;</SPAN><STRONG>Local Analysis (LA)</STRONG><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><STRONG>WildFire (WF)</STRONG><SPAN>&nbsp;</SPAN>uploads/queries.</LI> <LI><STRONG>Mitigating CPU Spikes:</STRONG><SPAN>&nbsp;</SPAN>Large binaries require significant CPU resources for the agent to calculate hashes (SHA256, MD5) and perform inspections. By adding these to the Allow List, the agent avoids these costly calculations, which significantly reduces performance overhead, especially in environments where multiple replicas of the same large binary are executed simultaneously (e.g., containerized environments).</LI> <LI><STRONG>Reducing Network and Server Load:</STRONG><SPAN>&nbsp;</SPAN>Using the allow list reduces the volume of communication between the agent and the Cortex XDR management console by preventing unnecessary file uploads and verdict queries.</LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Mon, 19 Jan 2026 15:11:29 GMT susekar 2026-01-19T15:11:29Z Does adding legit windows binary hash to the allow list increase load on the XDR agent? https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-adding-legit-windows-binary-hash-to-the-allow-list-increase/m-p/1245664#M9014 <P>Does adding legit windows binary hash to the allow list increase load on the XDR agent?</P> Thu, 15 Jan 2026 13:56:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-adding-legit-windows-binary-hash-to-the-allow-list-increase/m-p/1245664#M9014 Abhishemh 2026-01-15T13:56:30Z Re: Does adding legit windows binary hash to the allow list increase load on the XDR agent? https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-adding-legit-windows-binary-hash-to-the-allow-list-increase/m-p/1245921#M9016 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1523781643">@Abhishemh</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day!</P> <P>&nbsp;</P> <P>Adding a legitimate Windows binary hash to the<SPAN>&nbsp;</SPAN><STRONG>Allow List</STRONG><SPAN>&nbsp;</SPAN>does not increase the load on the Cortex XDR agent; in fact, it is a recommended method to<SPAN>&nbsp;</SPAN><STRONG>decrease</STRONG><SPAN>&nbsp;</SPAN>agent resource consumption and mitigate CPU spikes.</P> <H3>How the Allow List Impacts Agent Performance</H3> <P>When a file hash is added to the Allow List, it is synchronized to the endpoint and stored in a local database called<SPAN>&nbsp;</SPAN><CODE>hash_overrides.db</CODE>.</P> <P>&nbsp;</P> <UL> <LI><STRONG>Bypassing Intensive Scans:</STRONG><SPAN>&nbsp;</SPAN>When the agent encounters a binary that is on the allow list, it identifies the "Benign" override and explicitly<SPAN>&nbsp;</SPAN><STRONG>skips</STRONG><SPAN>&nbsp;</SPAN>intensive security flows, including<SPAN>&nbsp;</SPAN><STRONG>Local Analysis (LA)</STRONG><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><STRONG>WildFire (WF)</STRONG><SPAN>&nbsp;</SPAN>uploads/queries.</LI> <LI><STRONG>Mitigating CPU Spikes:</STRONG><SPAN>&nbsp;</SPAN>Large binaries require significant CPU resources for the agent to calculate hashes (SHA256, MD5) and perform inspections. By adding these to the Allow List, the agent avoids these costly calculations, which significantly reduces performance overhead, especially in environments where multiple replicas of the same large binary are executed simultaneously (e.g., containerized environments).</LI> <LI><STRONG>Reducing Network and Server Load:</STRONG><SPAN>&nbsp;</SPAN>Using the allow list reduces the volume of communication between the agent and the Cortex XDR management console by preventing unnecessary file uploads and verdict queries.</LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Mon, 19 Jan 2026 15:11:29 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/does-adding-legit-windows-binary-hash-to-the-allow-list-increase/m-p/1245921#M9016 susekar 2026-01-19T15:11:29Z