06-02-2026 05:56 AM
Hello,
we have following case:
The "Local Analysis Malware" module blocks a self-developed, unsigned tool. However, after signing the tool with our own certificate, it is no longer blocked—even though we have not added or configured this certificate in any of the policies.
How can this behavior be explained? Does Cortex integrate with or reference the Windows Certificate Store? In other words, is the exe file allowed to run as soon as the certificate chain can be successfully validated?
Thank you!
06-02-2026 06:55 AM
Hello @M.Wempen ,
Greetings for the day.
The behavior you observed—where signing your self-developed tool with a certificate allowed it to bypass the Local Analysis Malware module—is related to how the Cortex XDR agent evaluates Windows executables and integrates with the Windows operating system.
-The Local Analysis module uses a machine learning algorithm to evaluate numerous file characteristics immediately when a file is launched.
-When a file is unsigned, its risk score increases significantly during this evaluation process. This can result in a "Suspicious executable detected" (CYSTATUSMALICIOUSEXE) verdict and subsequent blocking action.
On Windows endpoints, the Cortex XDR agent follows a defined evaluation flow during malware protection processing.
Skip Local Analysis for Signed Files: If an unknown executable or DLL is signed by a recognized or trusted signer, the Cortex XDR agent may allow execution without performing additional Local Analysis evaluation.
Integration with Windows Certificate Store :The agent relies on native Windows validation mechanisms, such as WinVerifyTrust, to verify the authenticity and cryptographic integrity of a file’s digital signature.
Certificate Validation Requirement: For the signature to be considered valid and eligible to bypass Local Analysis, the operating system must successfully validate the certificate chain. This requires the Root CA associated with the signing certificate to exist within the endpoint’s Windows Trusted Root Certification Authorities store.
-You do not need to explicitly configure your certificate within Cortex policies for this behavior to occur.
Note: As long as the Windows endpoint successfully validates the certificate chain, the agent recognizes the file as digitally signed by a trusted or known signer. Based on the standard protection workflow, the agent can bypass the Local Analysis module, which explains why the file is no longer blocked after signing.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
06-02-2026 06:55 AM
Hello @M.Wempen ,
Greetings for the day.
The behavior you observed—where signing your self-developed tool with a certificate allowed it to bypass the Local Analysis Malware module—is related to how the Cortex XDR agent evaluates Windows executables and integrates with the Windows operating system.
-The Local Analysis module uses a machine learning algorithm to evaluate numerous file characteristics immediately when a file is launched.
-When a file is unsigned, its risk score increases significantly during this evaluation process. This can result in a "Suspicious executable detected" (CYSTATUSMALICIOUSEXE) verdict and subsequent blocking action.
On Windows endpoints, the Cortex XDR agent follows a defined evaluation flow during malware protection processing.
Skip Local Analysis for Signed Files: If an unknown executable or DLL is signed by a recognized or trusted signer, the Cortex XDR agent may allow execution without performing additional Local Analysis evaluation.
Integration with Windows Certificate Store :The agent relies on native Windows validation mechanisms, such as WinVerifyTrust, to verify the authenticity and cryptographic integrity of a file’s digital signature.
Certificate Validation Requirement: For the signature to be considered valid and eligible to bypass Local Analysis, the operating system must successfully validate the certificate chain. This requires the Root CA associated with the signing certificate to exist within the endpoint’s Windows Trusted Root Certification Authorities store.
-You do not need to explicitly configure your certificate within Cortex policies for this behavior to occur.
Note: As long as the Windows endpoint successfully validates the certificate chain, the agent recognizes the file as digitally signed by a trusted or known signer. Based on the standard protection workflow, the agent can bypass the Local Analysis module, which explains why the file is no longer blocked after signing.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
