Cortex XDR Blockage activity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Blockage activity

L1 Bithead

If anything needed executable are blocked by the XDR previous we used to add that ***.exe in malware profile. But now we faced that issue that client has connected the clickshare(PC Screen Share) Equipment as it's an external equipment connected to USB of the machine. How can we add that .exe to exception list to work in the machine. Its not working If add that in the malware profile.

3 REPLIES 3

L3 Networker

Hi VineethArumulla,


Are you saying you are unable to add the file in the malware profile like you previously were able to? Or you were able to add the file but the traffic is still being blocked?

In the last XDR version release (3.5), the workflow for managing exceptions and module allow-listing changed a bit. Navigate to Settings>Exceptions Configuration>Legacy Agent Exceptions then in the top right of the page click "Add Rule". As you navigate through the rule creation wizard you will need to define a name for the rule, select the associated platform, select which endpoint protection module you are wanting the exception applied to, define the target properties, then select which profile(s) you want the exception applied to. Once the rule is saved it will be applied to the associated endpoints at their next check-in.

Regards,
Ben

We're able to add the file in malware profile but the traffic is still blocking, So we added the same file in restriction profile, Is that correct path? Is there any changes in the XDR 7.8.0 version?

Hi VineethArumulla,

I do not recommend using the restrictions profile in this way as it could cause unexpected  behavior since that is not the intended function.
The allow-lists you are referring to in the malware profile are module specific, so it is important to make sure you are applying the setting to the correct module. In the alerts table, look in the "module" field for this alert, then make sure you are adding the file/path to the corresponding module allow-list in the malware profile. Keep in mind that in some cases a file may trigger multiple modules, in which case you would need to add the file to all applicable module allow-lists. If you have already done this and the traffic continues to be blocked, I would recommend opening a support case to address the issue.

Regards,
Ben 

  • 2469 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!