04-07-2025 01:52 AM
Considering PE, PE64 and macro enabled Word and Excel documents are allowed to be entered to blocklist, does it make any sense to add a .bat or a powershell PS1 file to the XDR blocklist Cortex XDR
04-07-2025 10:41 PM
Honestly, adding a.bator .ps1 file to the XDR blocklist can work, but only in very specific cases. you are basically telling XDR, “Hey, if you see this exact file (by its hash), block it.” That’s cool if you’re dealing with a known, unchanging script but let’s be real, attackers don’t usually play that way. scripts change, get obfuscated, renamed, or generated on the fly.
So, does it make sense? Yes. but only if you are targeting a very specific threat and you’ve got the exact hash.
But for broader protection? Not really ideal.
If your goal is to stop .bat or PowerShell scripts from running altogether (especially in places they shouldn’t be), you’re better off using a Restrictions Security Profile. That lets you say, “Don’t allow any scripts from these folders,” or “Block scripts entirely.” It’s way more flexible and doesn’t rely on the file being identical every time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
