Excluding files from local malware analysis scan

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Excluding files from local malware analysis scan

L2 Linker

Hi all,

I have a specific file that i would like to whitelist. I have it in the allow list(by hash) but it still sometimes blocked by the "local analysis malware" due to having a different hash than the one in the allow list.

Is there a way to exclude a file from the scan via name, or any other way?

 

1 ACCEPTED SOLUTION

Accepted Solutions

L1 Bithead

If the file is always in the same location you can create a malware profile and exclude this location from scanning.

That is the easiest solution, as chaning hashes will invalidate the entires in the allow list

View solution in original post

5 REPLIES 5

L4 Transporter

Hi @Daniel_Itenberg , 

have you thought of adding the signer as a trusted signer ? this will not take into account the hash. This is useful also for drivers from specific vendors that sign their software. 

Please check this doc on how to do it at the malware profile:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/endpo...

I wont recommend much to add a whole folder to the allow list since malicious actors might drop their malware there and go undetected. 

If hash and trusted signer do not work either of them, open a TAC support case to get a suex. 
Hope this helps 

KR, 

Luis

What if the signature filed says "invalid signature"?

Hi @Daniel_Itenberg ,

 

I would open a TAC support case to see what is the issue here. Our TAC engineers will provide you help on this

KR, 

Luis

L1 Bithead

If the file is always in the same location you can create a malware profile and exclude this location from scanning.

That is the easiest solution, as chaning hashes will invalidate the entires in the allow list

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!