GoToMeeting Whitelist

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GoToMeeting Whitelist

L0 Member

Does anyone know how to whitelist the GoToMeeting download?

 

It is an EXE but the client agent blocks it.  When I attempt to whitelist it, EVERY SINGLE download is a different hash value making it impossible to whitelist.

 

Thanks for any suggestions.

5 REPLIES 5

L3 Networker

Can you please post the alert details?

You can actually make an exception based on the filename, signer or various other methods etc.. under the Invetigation tab > Exclusions.

Kind Regards
KS

L4 Transporter

Hi BillStrahan,

 

It would be beneficial to post the "alert source" and "alert name" values observed when executing the GoToMeeting file. Adding to the allow list, as instructed here, would only work if the "Alert Source = 'XDR Agent'" and the "Alert Name contained 'malware.'"  Other alert sources and names have different instructions for creating exceptions to permit a file to run. For example, an alert with "Alert Source = 'XDR Agent'" and the "Alert Name = 'Behavioral Threat,'" would need a BTP exception rather than a whitelist to permit execution.

 

More information about the different ways to make exceptions can be found here: Add a New Exceptions Security Profile.

 

Please let us know your findings.

 

PS. Given that the hash changes frequently, there are two other ways to permit the GoToMeeting file to run if it is being categorized as malware, and that is by adding the signer to the Allow List Signers ('Malware Security Profile' > 'Allow List Signers,') or to a Files/Folders allow list ( 'Malware Security Profile' > 'Files/Folders in Allow List.')

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

L4 Transporter

Hi @BillStrahan -

 

For this very "installer," the Trusted Publisher feature was introduced over 4 years ago.  The Trusted Publisher feature should allow the installer to run.  I recommend contacting Support if you are seeing blocks tied to the GTM installer.  


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Our prior AV solution began having fits with Goto products about a year ago.  As paying customers we begged the LogMeIn vendor to stop changing the hash of the file each time it was downloaded to no avail.  We were forced to place the vendors certificate on the allow list since this crippled the organization.  We have not run into any issues with the Goto products with Cortex XDR Prevent 7.1.3 on Windows (don't do Mac/Linux).

L4 Transporter

Hi @BillStrahan

 

Were you able to successfully add the GoToMeeting executable to the allow list using any previous suggestions?

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw
  • 3602 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!