11-18-2025 06:37 AM
Hi,
We want to enforce the use of only the approved version of AnyDesk (9.6.5.0 and above) on all Windows endpoints and completely prevent execution of any older versions of anydesk.exe.
Is there a clean and maintainable way to achieve this using Cortex XDR Prevention/Restriction Profiles?
From what I’ve seen, the straightforward way is:
- Block anydesk.exe by path/name
- Create hash-based exceptions only for the approved version(s)
every old version has a different hash, so we would need to collect and maintain a long block-list of hashes for all previous versions (which is not practical).
1. Can we restrict execution based on the software version instead of the hash?
2. Is there a way to “allow only versions ≥ 9.6.5.0” or “allow only this specific version” without blocking every single old hash manually?
Thanks
01-07-2026 07:39 AM
Hello @DanielBr ,
Greetings for the day.
Direct application blocking based solely on a software version number (e.g., version 9.6.5.0) is not a natively supported feature in Cortex XDR Prevention or Restriction Profiles . Execution control in Cortex XDR primarily utilizes SHA-256 hashes, digital signers, and file paths.
However, there is a technical path to achieve selective version control for AnyDesk:
For complex requirements such as "allow only version X and block all others," the most robust and maintainable solution is the creation of a Custom Behavioral Indicator of Compromise (BIOC) rule.
* How it works: A BIOC rule can be configured to target specific process execution characteristics. While standard profiles cannot filter by version string, custom XQL-based BIOC rules can sometimes target unique metadata associated with specific application releases.
* Policy Enforcement: Once created, this BIOC rule is added to a Restriction Profile under the "Custom Prevention Rules" section to enforce a block on any version that does not meet your criteria.
* Support Note: The design and implementation of complex custom BIOC rules for policy enforcement are considered out of scope for the Technical Assistance Center (TAC). You should engage your Palo Alto Networks Accounts Team (Sales Consultant or Deployment Consultant) for assistance with the specific XQL logic required for version-based AnyDesk control.
If you wish to manage this using standard features, you can implement a broader block and then whitelist your approved version:
* Block by Digital Signer: Create a BIOC rule to block execution for the signer "AnyDesk Software GmbH" (or "philandro Software GmbH" for older versions). This ensures all AnyDesk files are blocked regardless of their hash or filename.
* Allow Approved Version: Create a Legacy Agent Exception for the SHA-256 hash of version 9.6.5.0.
* Maintenance: This is more maintainable than a blocklist of old hashes because you only need to maintain a single "Allow" exception for the currently approved hash. Any other version (including future ones you haven't approved yet) will be caught by the signer-based block.
If you do not want to block immediately, you can use BIOC rules to monitor and alert when versions change (e.g., by monitoring registry writes or specific file metadata) to identify endpoints that need to be updated.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New Year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
