Application Fingerprinting

S.Jagushte774563 — Tue, 05 May 2026 12:30:48 GMT

Hello Community,

I want to understand if application fingerprinting can be achieved in cortex. If yes, what is the approach of achieving default block for all the unknown application.

Thanks and Regards.

Re: Application Fingerprinting

susekar — Wed, 06 May 2026 18:52:06 GMT

Hello @S.Jagushte774563 ,

Greetings for the day.

Cortex XDR identifies and "fingerprints" applications primarily through unique identifiers such as SHA-256 file hashes, digital signers (signatures), and file paths.

While Cortex XDR is primarily a threat prevention platform, you can achieve a "Zero Trust" or "Default Deny" application control posture where all unknown applications are blocked by default and only approved ones are permitted to execute.

(Approaches for Default Block of Unknown Applications)

There are two primary methods to implement a default block posture for unknown applications in Cortex XDR:

1. The Restriction Profile & Legacy Exceptions Approach (Strict Allowlisting)

This is the most common method for implementing a strict application control policy.

Step 1: Create a broad block rule.
Create a Restrictions Profile and add a broad wildcard (e.g., * or *.exe) to the Block List.
Step 2: Explicitly define approved items.
Use the Allow List within the Restrictions Profile or create Legacy Agent Exceptions to permit specific trusted applications based on their file path, hash, or signer.
Priority:
The agent prioritizes the Allow List over the Block List, ensuring that approved applications run even if they match the broad wildcard block.

2. The Malware Profile "Block Unknown" Approach

This method relies on WildFire threat intelligence to determine if an application is known to the environment or Palo Alto Networks.

Action on Unknown:
Within the Malware Security Profile, set the configuration Action when file is unknown to WildFire to Block.
Logic:
When an application attempts to run, the agent calculates its SHA-256 hash. If WildFire does not have a verdict (Benign or Malware) for that hash, the application is blocked.
Caveat:
This approach can be high-impact, as new legitimate files or temporary DLLs (e.g., from .NET updates) might be blocked until they are analyzed by WildFire.

Best Practices and Considerations:

High Impact:
Strict allowlisting is a high-impact configuration. It is recommended to test these policies on a small group of non-critical systems before a broader rollout.
Fingerprinting via Signers:
To avoid manually managing hashes for every software update, you can use signer-based allowlisting (e.g., allowing all applications signed by "Microsoft Corporation").
Identifying Hashes:
To obtain the SHA-256 "fingerprint" of a specific file locally for a block/allow rule, you can use the following command:

cytool file query [PATHTOFILE]

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".