- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-20-2022 08:32 PM
Hi everyone,
Can we allow/block the file hash for a particular endpoint instead of allowing/blocking the file hash on all the endpoints?
Regards
01-20-2022 11:44 PM
@RahulPrajapati yes. Please create a new profile and apply it to a single endpoint/set of endpoints/static or dynamic groups as per your prevention policies.
01-20-2022 10:10 PM
Hi @RahulPrajapati you can use a Malware profile to key in a file path (see Step 3, substep 3 here).
Alternately, you can also look at using Exception Profile for specific modules that you want the process to be exempted from (Step 3 here).
01-20-2022 10:31 PM
Hi @bbarmanroy ,
But this will allow/block the file on all endpoints on which this profile is applied right? But I want to allow/block the file for specific endpoint not all endpoints
Regards
01-20-2022 11:44 PM
@RahulPrajapati yes. Please create a new profile and apply it to a single endpoint/set of endpoints/static or dynamic groups as per your prevention policies.
07-25-2022 03:31 AM
Hi @bbarmanroy ,
Even I'm having the similar requirement to allow hash for specific endpoints.
But as per my observation, the Malware profile allows only to add files/folders/trusted signers into allow list. I don't see any fields where I can add hashes.
We have a scenario here where we need to allow the execution of a particular internal tool that has no signers and can be found in different file paths with different end users. Therefore I can whitelist neither trusted signers nor files/folders. I need to allow the only hash to this specific group of people. Unfortunately, that option is unavailable.
Thanks!!
12-21-2022 12:05 PM
@bbarmanroy, why is this marked with an accepted answer?
Cortex XDR allows whitelisting hashes globally, not on specific endpoints or groups. The subject of this (Cortex XDR-File hash Allow/Block on specific endpoint) is not solved.
I require whitelisting on a per-group basis as well; this seems like a pretty basic and fundamental feature. Allowing only globally whitelisted SHA256 hashes puts other groups at risk unnecessarily, when only a single isolated group or device requires the whitelisted hash.
@MithunKT correctly states that Malware profiles or Legacy Agent Exceptions only provide files/folders/trusted signers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!