Cortex XDR-File hash Allow/Block on specific endpoint

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR-File hash Allow/Block on specific endpoint

L2 Linker

Hi everyone,

 

Can we allow/block the file hash for a particular endpoint instead of allowing/blocking the file hash on all the endpoints?

 

Regards

1 accepted solution

Accepted Solutions

@RahulPrajapati yes. Please create a new profile and apply it to a single endpoint/set of endpoints/static or dynamic groups as per your prevention policies.

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi @RahulPrajapati you can use a Malware profile to key in a file path (see Step 3, substep 3 here).

Alternately, you can also look at using Exception Profile for specific modules that you want the process to be exempted from (Step 3 here). 

 

Hi @bbarmanroy ,

 

But this will allow/block the file on all endpoints on which this profile is applied right? But I want to allow/block the file for specific endpoint not all endpoints

 

Regards

@RahulPrajapati yes. Please create a new profile and apply it to a single endpoint/set of endpoints/static or dynamic groups as per your prevention policies.

Hi @bbarmanroy ,

 

Even I'm having the similar requirement to allow hash for specific endpoints. 

But as per my observation, the Malware profile allows only to add files/folders/trusted signers into allow list. I don't see any fields where I can add hashes.

 

We have a scenario here where we need to allow the execution of a particular internal tool that has no signers and can be found in different file paths with different end users.  Therefore I can whitelist neither trusted signers nor files/folders. I need to allow the only hash to this specific group of people. Unfortunately, that option is unavailable.

 

Thanks!!

 

L0 Member

@bbarmanroy, why is this marked with an accepted answer?

 

Cortex XDR allows whitelisting hashes globally, not on specific endpoints or groups. The subject of this (Cortex XDR-File hash Allow/Block on specific endpoint) is not solved.

 

I require whitelisting on a per-group basis as well; this seems like a pretty basic and fundamental feature. Allowing only globally whitelisted SHA256 hashes puts other groups at risk unnecessarily, when only a single isolated group or device requires the whitelisted hash.

 

@MithunKT correctly states that Malware profiles or Legacy Agent Exceptions only provide files/folders/trusted signers.

 

 

  • 1 accepted solution
  • 8898 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!