04-21-2021 02:27 AM
Hi,
We have been asked to whitelist a specified folder in order to disable any kind of real-time checks and analysis made by Cortex XDR.
So, we added the aforementioned folder in the allow lists of "Portable Executable and DLL Examination" and "Behavioral Threat Protection" sections in "Malware profile" configuration.
With this kind of configuration enabled what are Cortex XDR real-time checks that remain active?
04-21-2021 03:08 AM
Hi @MCereda ,
You still have Child Process Protection, Office files with Macros and Ransomware.
I need to point out that active whitelisting is NOT really recommended except for "Portable Executable and DLL Examination" as Local Analysis could indeed block legit applications, and it could take WF up to 10-15 minutes to provide a benign verdict.
The other modules have different kind of protections and I would only recommend whitelisting whenever there is a false positive alert.
You need to monitor your incidents/alerts and see which modules are blocking your "legit" applications.
04-21-2021 03:08 AM
Hi @MCereda ,
You still have Child Process Protection, Office files with Macros and Ransomware.
I need to point out that active whitelisting is NOT really recommended except for "Portable Executable and DLL Examination" as Local Analysis could indeed block legit applications, and it could take WF up to 10-15 minutes to provide a benign verdict.
The other modules have different kind of protections and I would only recommend whitelisting whenever there is a false positive alert.
You need to monitor your incidents/alerts and see which modules are blocking your "legit" applications.
04-21-2021 05:02 AM - edited 04-21-2021 05:03 AM
Hi @fmoixsante,
thank you for the answer.
As we have been asked us to temporarily disable any kind of real-time checks and analysis made by Cortex XDR on a specified folder in order to test a performance issue, do you know how to completely disable Cortex XDR features for a single folder?
04-21-2021 05:09 AM
Hi @MCereda ,
You can whitelist folders for almost every malware module, except for Ransomware and Password Theft Protection.
For the Exploit module, disabling protections for a single folder is not supported as far as I know. As of now, there is no way to do that directly from the Exploit module. I would suggest contacting TAC and ask them if a Support Exception (SUEX) would be able to achieve what you want to do.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
