How to add exception for known macros detection by cortex XDR

S.Rembhotkar — Tue, 26 May 2026 10:17:49 GMT

We are facing alerts for some excel enabled macro files are getting blocked in local analysis which is known and signed.

After certain time file verdict changed to benign but still its triggered in local analysis and user unable to execute it.

Please help us how to unblock this without adding specific path under exception.

Thanks

Re: How to add exception for known macros detection by cortex XDR

susekar — Tue, 26 May 2026 13:17:14 GMT

Hello @S.Rembhotkar ,

Greetings for the day.

To unblock Excel macro-enabled files without adding a specific path exception, you can utilize the Macro Hash, implement a Signer Allow List, or adjust the Malware Profile settings.

These methods are more scalable and secure than path-based exclusions, especially when file hashes change frequently due to updates.

Option 1: Add the Macro Hash to the Allow List:

Cortex XDR calculates two hashes for macro-enabled files: the hash of the file itself (which changes if the file is edited) and a unique Macro Hash (or stream hash) representing the VBA code structure. By allow-listing the Macro Hash, you permit the specific macro code to run regardless of the file name or location.

Retrieve the Macro Hash:

Navigate to Incident Response > Incidents > Alerts Table.
Locate the "Suspicious macro detected" alert.
Right-click the alert and select Investigate Causality Chain.
Open the Alert Card and expand Alert Details.
Locate and copy the MACRO HASH256 (found in Additional Argument 3 or streamHash in raw alert data).

Add to Allow List:

Go to Incident Response > Response > Action Center.
Click + New Action > Add to Allow List.
Paste the Macro Hash and click Done.

Option 2: Use Signer Allow List (If Macros are Digitally Signed):

Since the macros are signed, you can add the certificate’s signer to the Signer Allow List in your Malware Security Profile. This allows any file signed by that specific trusted certificate to execute.

Identify the signer’s name from the alert data (for example, "Example Corp").
Navigate to Policy Management > Profiles > Malware.
Edit the profile and go to the Windows tab > Portable Executables, DLLs, and Office Macros.
Locate Signer Whitelist and add the signer name.

Option 3: Adjust Malware Profile for “Low Confidence” Verdicts:

The alerts may persist because WildFire returns a “Benign with Low Confidence” verdict, which triggers the agent’s Local Analysis engine by default. You can change this behavior for trusted users or endpoints.

In your Malware Security Profile, navigate to Portable Executables, DLLs, and Office Macros.
Change Action when file is benign with low confidence from Run Local Analysis to Allow.

Note: This setting applies to all files in that profile. To minimize risk, apply the modified profile only to specific user groups or endpoints.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic How to add exception for known macros detection by cortex XDR in Cortex XDR Discussions

How to add exception for known macros detection by cortex XDR

Re: How to add exception for known macros detection by cortex XDR

Option 1: Add the Macro Hash to the Allow List:

Option 2: Use Signer Allow List (If Macros are Digitally Signed):

Option 3: Adjust Malware Profile for “Low Confidence” Verdicts: