It would be beneficial to post the "alert source" and "alert name" values observed when executing the GoToMeeting file. Adding to the allow list, as instructed here, would only work if the "Alert Source = 'XDR Agent'" and the "Alert Name contained 'malware.'" Other alert sources and names have different instructions for creating exceptions to permit a file to run. For example, an alert with "Alert Source = 'XDR Agent'" and the "Alert Name = 'Behavioral Threat,'" would need a BTP exception rather than a whitelist to permit execution.
More information about the different ways to make exceptions can be found here: Add a New Exceptions Security Profile.
Please let us know your findings.
PS. Given that the hash changes frequently, there are two other ways to permit the GoToMeeting file to run if it is being categorized as malware, and that is by adding the signer to the Allow List Signers ('Malware Security Profile' > 'Allow List Signers,') or to a Files/Folders allow list ( 'Malware Security Profile' > 'Files/Folders in Allow List.')
Hi @BillStrahan -
For this very "installer," the Trusted Publisher feature was introduced over 4 years ago. The Trusted Publisher feature should allow the installer to run. I recommend contacting Support if you are seeing blocks tied to the GTM installer.
Our prior AV solution began having fits with Goto products about a year ago. As paying customers we begged the LogMeIn vendor to stop changing the hash of the file each time it was downloaded to no avail. We were forced to place the vendors certificate on the allow list since this crippled the organization. We have not run into any issues with the Goto products with Cortex XDR Prevent 7.1.3 on Windows (don't do Mac/Linux).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!