This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

How to add exception for known macros detection by cortex XDR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to add exception for known macros detection by cortex XDR

S.Rembhotkar
L0 Member

‎05-26-2026 03:17 AM

We are facing alerts for some excel enabled macro files are getting blocked in local analysis which is known and signed.

After certain time file verdict changed to benign but still its triggered in local analysis and user unable to execute it.

 

Please help us how to unblock this without adding specific path under exception.

 

Thanks  

NA
0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎05-26-2026 06:17 AM

Hello @S.Rembhotkar ,

 

Greetings for the day.

 

To unblock Excel macro-enabled files without adding a specific path exception, you can utilize the Macro Hash, implement a Signer Allow List, or adjust the Malware Profile settings.

 

These methods are more scalable and secure than path-based exclusions, especially when file hashes change frequently due to updates.

Option 1: Add the Macro Hash to the Allow List:

Cortex XDR calculates two hashes for macro-enabled files: the hash of the file itself (which changes if the file is edited) and a unique Macro Hash (or stream hash) representing the VBA code structure. By allow-listing the Macro Hash, you permit the specific macro code to run regardless of the file name or location.

 

Retrieve the Macro Hash:

  1. Navigate to Incident Response > Incidents > Alerts Table.
  2. Locate the "Suspicious macro detected" alert.
  3. Right-click the alert and select Investigate Causality Chain.
  4. Open the Alert Card and expand Alert Details.
  5. Locate and copy the MACRO HASH256 (found in Additional Argument 3 or streamHash in raw alert data).

Add to Allow List:

  1. Go to Incident Response > Response > Action Center.
  2. Click + New Action > Add to Allow List.
  3. Paste the Macro Hash and click Done.

Option 2: Use Signer Allow List (If Macros are Digitally Signed):

Since the macros are signed, you can add the certificate’s signer to the Signer Allow List in your Malware Security Profile. This allows any file signed by that specific trusted certificate to execute.

  1. Identify the signer’s name from the alert data (for example, "Example Corp").
  2. Navigate to Policy Management > Profiles > Malware.
  3. Edit the profile and go to the Windows tab > Portable Executables, DLLs, and Office Macros.
  4. Locate Signer Whitelist and add the signer name.

Option 3: Adjust Malware Profile for “Low Confidence” Verdicts:

The alerts may persist because WildFire returns a “Benign with Low Confidence” verdict, which triggers the agent’s Local Analysis engine by default. You can change this behavior for trusted users or endpoints.

  1. In your Malware Security Profile, navigate to Portable Executables, DLLs, and Office Macros.
  2. Change Action when file is benign with low confidence from Run Local Analysis to Allow.

Note: This setting applies to all files in that profile. To minimize risk, apply the modified profile only to specific user groups or endpoints.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

0 Likes Likes
  • 46 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks