Cortex XDR whitelisting

cancel
Showing results for 
Search instead for 
Did you mean: 

Cortex XDR whitelisting

L0 Member

Hi,

 

We have been asked to whitelist a specified folder in order to disable any kind of real-time checks and analysis made by Cortex XDR.

 

So, we added the aforementioned folder in the allow lists of "Portable Executable and DLL Examination" and "Behavioral Threat Protection" sections in "Malware profile" configuration.

With this kind of configuration enabled what are Cortex XDR real-time checks that remain active?

1 ACCEPTED SOLUTION

Accepted Solutions

L3 Networker

Hi @MCereda ,

 

You still have Child Process Protection, Office files with Macros and Ransomware.

 

I need to point out that active whitelisting is NOT really recommended except for "Portable Executable and DLL Examination" as Local Analysis could indeed block legit applications, and it could take WF up to 10-15 minutes to provide a benign verdict.

 

The other modules have different kind of protections and I would only recommend whitelisting whenever there is a false positive alert.

You need to monitor your incidents/alerts and see which modules are blocking your "legit" applications.

 

 

View solution in original post

3 REPLIES 3

L3 Networker

Hi @MCereda ,

 

You still have Child Process Protection, Office files with Macros and Ransomware.

 

I need to point out that active whitelisting is NOT really recommended except for "Portable Executable and DLL Examination" as Local Analysis could indeed block legit applications, and it could take WF up to 10-15 minutes to provide a benign verdict.

 

The other modules have different kind of protections and I would only recommend whitelisting whenever there is a false positive alert.

You need to monitor your incidents/alerts and see which modules are blocking your "legit" applications.

 

 

Hi @fmoixsante,

thank you for the answer.

 

As we have been asked us to temporarily disable any kind of real-time checks and analysis made by Cortex XDR on a specified folder in order to test a performance issue, do you know how to completely disable Cortex XDR features for a single folder?

Hi @MCereda ,

 

You can whitelist folders for almost every malware module, except for Ransomware and Password Theft Protection.

 

For the Exploit module, disabling protections for a single folder is not supported as far as I know. As of now, there is no way to do that directly from the Exploit module. I would suggest contacting TAC and ask them if a Support Exception (SUEX) would be able to achieve what you want to do.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!