This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Application Fingerprinting

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Application Fingerprinting

S.Jagushte774563
L1 Bithead

‎05-05-2026 05:30 AM

Hello Community,

 

I want to understand if application fingerprinting can be achieved in cortex. If yes, what is the approach of achieving default block for all the unknown application. 

 

Thanks and Regards.

 

0 Likes Likes
3 REPLIES 3

susekar
L5 Sessionator

‎05-06-2026 11:52 AM

Hello @S.Jagushte774563 ,

 

Greetings for the day.

 

Cortex XDR identifies and "fingerprints" applications primarily through unique identifiers such as SHA-256 file hashes, digital signers (signatures), and file paths.

 

While Cortex XDR is primarily a threat prevention platform, you can achieve a "Zero Trust" or "Default Deny" application control posture where all unknown applications are blocked by default and only approved ones are permitted to execute.

(Approaches for Default Block of Unknown Applications)

There are two primary methods to implement a default block posture for unknown applications in Cortex XDR:

1. The Restriction Profile & Legacy Exceptions Approach (Strict Allowlisting)

This is the most common method for implementing a strict application control policy.

  • Step 1: Create a broad block rule.
    Create a Restrictions Profile and add a broad wildcard (e.g., * or *.exe) to the Block List.
  • Step 2: Explicitly define approved items.
    Use the Allow List within the Restrictions Profile or create Legacy Agent Exceptions to permit specific trusted applications based on their file path, hash, or signer.
  • Priority:
    The agent prioritizes the Allow List over the Block List, ensuring that approved applications run even if they match the broad wildcard block.

2. The Malware Profile "Block Unknown" Approach

This method relies on WildFire threat intelligence to determine if an application is known to the environment or Palo Alto Networks.

  • Action on Unknown:
    Within the Malware Security Profile, set the configuration Action when file is unknown to WildFire to Block.
  • Logic:
    When an application attempts to run, the agent calculates its SHA-256 hash. If WildFire does not have a verdict (Benign or Malware) for that hash, the application is blocked.
  • Caveat:
    This approach can be high-impact, as new legitimate files or temporary DLLs (e.g., from .NET updates) might be blocked until they are analyzed by WildFire.

Best Practices and Considerations:

  • High Impact:
    Strict allowlisting is a high-impact configuration. It is recommended to test these policies on a small group of non-critical systems before a broader rollout.
  • Fingerprinting via Signers:
    To avoid manually managing hashes for every software update, you can use signer-based allowlisting (e.g., allowing all applications signed by "Microsoft Corporation").
  • Identifying Hashes:
    To obtain the SHA-256 "fingerprint" of a specific file locally for a block/allow rule, you can use the following command:

 

cytool file query [PATHTOFILE]

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes

maximk
L2 Linker
In response to susekar

‎05-12-2026 10:36 PM

Hi @susekar 

Is this a theoretical interpretation, or a confirmed and established approach with known practical use?

Thanks. 

0 Likes Likes

S.Jagushte774563
L1 Bithead
In response to susekar

‎05-13-2026 10:17 PM

Hello Susekar,

 

Thanks for replying. I want to understand if i can prepare "Allow List" using Cortex platform. If yes what will be the approach?? I have tried obtaining the list using XQL but the telemetry that is ingested in cortex only covers the running applications or files with .exe extension. The query does not returns dormant application or silent .exe files. I want to parse and dedup all the .exe files available.

 

 

Thanks and Regards

0 Likes Likes
  • 239 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks