This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Excluding files from local malware analysis scan

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Excluding files from local malware analysis scan

Go to solution
Daniel_Itenberg
L2 Linker

‎04-03-2022 12:11 AM

Hi all,

I have a specific file that i would like to whitelist. I have it in the allow list(by hash) but it still sometimes blocked by the "local analysis malware" due to having a different hash than the one in the allow list.

Is there a way to exclude a file from the scan via name, or any other way?

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
MartinPfeil
L2 Linker

‎04-04-2022 07:36 AM

If the file is always in the same location you can create a malware profile and exclude this location from scanning.

That is the easiest solution, as chaning hashes will invalidate the entires in the allow list

View solution in original post

5 REPLIES 5

Go to solution
eluis
L4 Transporter

‎04-03-2022 07:55 AM

Hi @Daniel_Itenberg , 

have you thought of adding the signer as a trusted signer ? this will not take into account the hash. This is useful also for drivers from specific vendors that sign their software. 

Please check this doc on how to do it at the malware profile:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/endpo...

I wont recommend much to add a whole folder to the allow list since malicious actors might drop their malware there and go undetected. 

If hash and trusted signer do not work either of them, open a TAC support case to get a suex. 
Hope this helps 

KR, 

Luis

0 Likes Likes

Go to solution
Daniel_Itenberg
L2 Linker
In response to eluis

‎04-04-2022 02:11 AM

What if the signature filed says "invalid signature"?

0 Likes Likes

Go to solution
eluis
L4 Transporter
In response to Daniel_Itenberg

‎04-04-2022 03:10 AM

Hi @Daniel_Itenberg ,

 

I would open a TAC support case to see what is the issue here. Our TAC engineers will provide you help on this

KR, 

Luis

0 Likes Likes

Go to solution
MartinPfeil
L2 Linker

‎04-04-2022 07:36 AM

If the file is always in the same location you can create a malware profile and exclude this location from scanning.

That is the easiest solution, as chaning hashes will invalidate the entires in the allow list

Go to solution
Anil_Racharla
L1 Bithead
In response to eluis

‎08-24-2022 10:42 PM

Hii Eluis,
How to add a trusted signer .
How to sign a application which is internal built for organisation

0 Likes Likes
  • 1 accepted solution
  • 5190 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks