This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Yes, it is possible to block these files without generating an incident, but this requires a combination of a Restriction Profile for the blocking action and an Alert Exclusion rule to suppress incident generation.
Native Indicator of Compromise (IOC) rules are designed for detection and alerting only and do not inherently support prevention or blocking actions.
To achieve a “silent block” for your malicious files, follow these steps:
1. Create a Restriction Profile to Block by Filename
While the global Block List in the Action Center only supports SHA256 hashes, you can use a Restriction Profile to block execution based on filename wildcards.
Navigate to:
Endpoints > Policy Management > Prevention > Profiles
-
Click + Add Profile
-
Select the relevant OS (e.g., Windows)
-
Choose Restrictions as the profile type
-
In the profile settings, locate the Executable files section
-
Add your wildcard pattern
To ensure the file is blocked regardless of its directory, use a leading wildcard:
-
Save the profile
-
Ensure it is assigned to a Policy Rule applied to your target endpoints
2. Suppress Incidents Using Alert Exclusion
By default, a block action will trigger a prevention alert and generate an incident. To prevent this, create an Alert Exclusion rule to suppress the resulting notifications.
Navigate to:
Configuration > Incident & Alerts > Alert Exclusion
-
Click + Add Exclusion Rule
-
Define the exclusion criteria to match the block events
You can filter by:
-
Field: Action Process Image Name
-
Operator: wildcard
-
Value:
*PDFEditor_*.exe
Alternatively, you can filter by the specific Rule Name defined in the Restriction Profile.
-
Save the rule
This will globally suppress alerts and incidents matching these criteria while allowing the agent to continue enforcing the block.
Important Considerations:
IOC Limitations:
Standard IOC rules are primarily used for threat hunting and post-execution visibility; they do not function as a pre-execution prevention mechanism.
Bypassing Risk:
Blocking by filename or wildcard is less reliable than hash-based blocking, as an attacker can easily rename the executable to bypass the restriction.
If the hashes are known, adding them to the global Block List via the Action Center is the recommended security best practice.
