Local Analysis Malware - Signed exe

M.Wempen — Tue, 02 Jun 2026 12:56:23 GMT

Hello,

we have following case:

The "Local Analysis Malware" module blocks a self-developed, unsigned tool. However, after signing the tool with our own certificate, it is no longer blocked—even though we have not added or configured this certificate in any of the policies.

How can this behavior be explained? Does Cortex integrate with or reference the Windows Certificate Store? In other words, is the exe file allowed to run as soon as the certificate chain can be successfully validated?

Thank you!

Re: Local Analysis Malware - Signed exe

susekar — Tue, 02 Jun 2026 13:55:08 GMT

Hello @M.Wempen ,

Greetings for the day.

The behavior you observed—where signing your self-developed tool with a certificate allowed it to bypass the Local Analysis Malware module—is related to how the Cortex XDR agent evaluates Windows executables and integrates with the Windows operating system.

Why the Unsigned Tool Was Blocked:

-The Local Analysis module uses a machine learning algorithm to evaluate numerous file characteristics immediately when a file is launched.

-When a file is unsigned, its risk score increases significantly during this evaluation process. This can result in a "Suspicious executable detected" (CYSTATUSMALICIOUSEXE) verdict and subsequent blocking action.

How Signing Bypasses Local Analysis:

On Windows endpoints, the Cortex XDR agent follows a defined evaluation flow during malware protection processing.

Skip Local Analysis for Signed Files: If an unknown executable or DLL is signed by a recognized or trusted signer, the Cortex XDR agent may allow execution without performing additional Local Analysis evaluation.

Integration with Windows Certificate Store :The agent relies on native Windows validation mechanisms, such as WinVerifyTrust, to verify the authenticity and cryptographic integrity of a file’s digital signature.

Certificate Validation Requirement: For the signature to be considered valid and eligible to bypass Local Analysis, the operating system must successfully validate the certificate chain. This requires the Root CA associated with the signing certificate to exist within the endpoint’s Windows Trusted Root Certification Authorities store.

Explanation of Your Specific Case:

-You do not need to explicitly configure your certificate within Cortex policies for this behavior to occur.

Note: As long as the Windows endpoint successfully validates the certificate chain, the agent recognizes the file as digitally signed by a trusted or known signer. Based on the standard protection workflow, the agent can bypass the Local Analysis module, which explains why the file is no longer blocked after signing.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: Local Analysis Malware - Signed exe

M.Wempen — Tue, 02 Jun 2026 14:55:08 GMT

Alright thank you 🙂

topic Local Analysis Malware - Signed exe in Cortex XDR Discussions

Local Analysis Malware - Signed exe

Re: Local Analysis Malware - Signed exe

Why the Unsigned Tool Was Blocked:

How Signing Bypasses Local Analysis:

Explanation of Your Specific Case:

Re: Local Analysis Malware - Signed exe