typically the signer block list is maintained by PANW team and it is distributed via content updates.
The way to block a process by the customers is to block the hash as you have done. The hash will be checked before the WF verdict so it will prevail before WF check.
An indirect way to create a signer block is the following:
You create a custom BIOC for this signer and then you push it on to a restriction profile.
This way the process will execute but inmediately the behavioural threat protection will kick in and block & kill the process
I hope this helps, like it please if it was useful
Have Fun with it,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!