topic Re: Notepad++ block specific hash version in Cortex XDR Discussions

Notepad++ block specific hash version

tlmarques — Tue, 03 Feb 2026 15:27:14 GMT

Guys,

Does anyone know if it is possible to block the hashes associated with older versions of Notepad++?

My goal is to allow only Notepad++ version 8.9.1 to be executed, and to block the installation and execution of all other versions.

Re: Notepad++ block specific hash version

susekar — Tue, 03 Feb 2026 17:02:53 GMT

Hello @tlmarques ,

Greetings for the day.

Yes, it is possible to block older versions of Notepad++ while allowing only version 8.9.1, but this must be achieved through SHA256 hashes rather than a simple version number toggle, as Cortex XDR does not natively support blocking based solely on application version strings.

To allow only version 8.9.1 and block all other versions (installation and execution), you should use a combination of Restriction Profiles and Hash Control.

Recommended Implementation Steps

1. Obtain the Required Hashes

Identify the SHA256 hashes for the Notepad++ version 8.9.1 executable (notepad++.exe) and its specific installer (for example, npp.8.9.1.Installer.x64.exe).
The global Block List supports Windows PE, PE64, and DLL files, which includes the standard Notepad++ binaries.

2. Configure a Restriction Profile (Block by Name)

Instead of manually adding large numbers of older hashes to a global block list, use a Restriction Profile to block the application by filename and then create an exception for your allowed version.

Navigate to Policy > Prevention Profiles > Restrictions
Create a new profile and add notepad++.exe and npp.*.Installer*.exe to the Executables block list

This blocks the execution of any file with these names regardless of version.

3. Create an Exception for Version 8.9.1 (Allow by Hash)

Explicitly allow the hash of version 8.9.1 so it overrides the restriction.

Navigate to Policy > Prevention and select the policy group for your endpoints
Go to the Exceptions tab and add a Disable Prevention Rule
Configure the rule to target the SHA256 hash of the 8.9.1 executable and installer

Alternatively, you can use Malware Profile > Allow List to add the 8.9.1 hash.

4. Use the Global Block List for Known Older Hashes (Optional)

If you have specific older versions you want to ensure are blocked even if renamed:

Navigate to Response > Action Center > New Action > Add to Block List
Enter the SHA256 hashes of the older Notepad++ versions

Warning: Hashes added to the global Block List are enforced universally across all endpoints in the tenant and take precedence over most other policy rules.

Critical Limitations to Consider

MSI Installers: Cortex XDR’s Hash Block List in the Action Center does not currently support blocking .msi files by SHA256 hash. If the Notepad++ versions are distributed as .msi packages, the hash-based block will not trigger. You must rely on filename or path restrictions in a Restriction Profile for these files.
Size Limits: For agent versions 8.1 and below, there is a 100 MB limit for hash calculations; files exceeding this size will not be matched against the block list. Most Notepad++ binaries are well under this limit.

Verification on the Endpoint

You can verify whether the block and allow lists are correctly applied to a local Windows endpoint by running the following command in an Administrator command prompt:

"%ProgramFiles%\Palo Alto Networks\Traps\cytool.exe" persist print hash_overrides.db

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: Notepad++ block specific hash version

tlmarques — Tue, 03 Feb 2026 17:27:23 GMT

thanks for your help , you give me a good ideas.

maybe the best solutions for this time is block the HASH related with old versions....the best way to get that hashes is XQL? @susekar ??

because my objective, is only allow the last version...now, is 8.9.1....in the future , when launch 9.X for example, i'll block 8.9.1...

Re: Notepad++ block specific hash version

susekar — Wed, 04 Feb 2026 12:46:00 GMT

Hello @tlmarques ,

Thank you for the response.

Yes, using XQL (Cortex Query Language) is one of the most effective ways to retrieve the SHA256 hashes of specific software versions that have been seen in your environment. Since Cortex XDR cannot natively block applications based solely on a version string, you must identify the specific hashes associated with those older versions and add them to a block list.

1. How to Retrieve Hashes Using XQL

You can use either the files dataset (which leverages Host Insights data) or the xdr_data dataset (which contains historical event logs) to find hashes linked to specific file names and versions.

To find hashes and their reported versions from the inventory

Note:
This query requires the Host Insights add-on to be active.

dataset = files
| filter file_name == "your_executable_name.exe"
| fields sha256, file_name, file_version, vendor, last_seen
| dedup sha256

To find hashes from execution events (if you don't have Host Insights)

dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_file_name == "your_executable_name.exe"
| fields action_file_sha256, action_file_name, os_actor_process_command_line, agent_hostname
| dedup action_file_sha256

Note: In the xdr_data dataset, the version might not always be available as a standalone field. You may need to inspect action_file_path or os_actor_process_command_line if the version is embedded in the directory structure or command line.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar