Issue with IOC not blocking MyPDFSwitch executable

J.MorenoCiudad — Wed, 25 Mar 2026 07:37:51 GMT

Hello,

I have been receiving alerts related to a file named MyPDFSwitch_8173674.exe, where the filename ends with random numbers.

I created an IOC with the following pattern:

MyPDFSwitch*.exe

However, today I received another alert related to this file, so I suspect that the IOC is not working properly.

Could you please advise what might be happening? We need to block this type of file in our environment.

Thank you in advance.

Re: Issue with IOC not blocking MyPDFSwitch executable

susekar — Fri, 27 Mar 2026 13:18:32 GMT

Hello @J.MorenoCiudad ,

Greetings for the day.

The Indicator of Compromise (IOC) rule you created is likely not working as intended for two primary reasons: IOC rules are strictly detection-based mechanisms and do not support wildcard patterns for execution control.

1. IOC Rules are Detection Only
Custom IOC rules in Cortex XDR are designed for visibility and alerting rather than prevention. Even if your security policy is set to "Block," alerts triggered by IOC rules (whether based on file names, hashes, or IPs) will appear as "Detected (Reported)" or "Reported" because the IOC engine does not have an inherent enforcement mechanism.

2. Wildcard Limitations in IOCs
IOC rules are static and simple. Modifying a filename (for example, by adding random numbers) will break the matching for a static indicator, as IOCs are intended to match the exact string provided.

3. Understanding the "New" Alert (Backward Scans)
The alert you received today may not indicate a real-time execution. When a new IOC rule is created or edited, Cortex XDR automatically performs a backward scan of historical data in the xdr_data dataset, typically covering the last 30 days.

To verify if the alert is retroactive, check the JSON output of the alert (Alt + Right-click > Debug Alert) for the following fields:

"matching_status": "BACKWARDS_SCANNED"
"is_backwards": true

Recommended Solution: Restriction Profiles
To actively block files based on a naming pattern (wildcards) when the hash is random, you should use Restriction Profiles. Restriction Profiles allow for flexible execution control based on file attributes rather than static hashes.

Configuration Steps:

Navigate to Endpoints > Policy Management > Prevention > Profiles.
Select the Restrictions tab.
Create a new Restriction Profile or edit an existing one applied to your target endpoints.
In the Executable Files section, click + Add.
In the PROCESS field, enter your pattern using the asterisk wildcard (for example, *MyPDFSwitch*.exe) and set the ACTION to Block.
Save the profile and ensure it is assigned to an active Policy Rule.

Alternative: BIOC Rule with BTP Action
If the file name is highly unpredictable or naming-based blocks are easily bypassed, create a custom Behavioral IOC (BIOC) rule. You can base this rule on consistent attributes like the digital signer, internal product name, or specific behaviors (for example, unusual command-line arguments). Once created, add the BIOC to a Restriction Profile and set it to a Block or Terminate Process action via the Behavioral Threat Prevention (BTP) module.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: Issue with IOC not blocking MyPDFSwitch executable in Cortex XDR Discussions

Issue with IOC not blocking MyPDFSwitch executable

Re: Issue with IOC not blocking MyPDFSwitch executable