New to Cortex - Whitelisting files/paths, are they needed

Showing results for 
Show  only  | Search instead for 
Did you mean: 

New to Cortex - Whitelisting files/paths, are they needed

L1 Bithead

I am looking for definitive answers on whether or not exe files should be whitelisted and where they should be whitelisted within Cortex?


L1 Bithead

the files to be excluded are known windows files. 

Maybe palo alto could bringt out a short Video for white and blacklisting paths/files? 





I would also be interested, if this Feature from Cortex xdr pro is comparable to applocker. 





L5 Sessionator

@jeperjes @Cyber1985 ,


It likely depends on the used cases on what should be whitelisted. Definitely the easiest, quickest and the best whitelisted always is SH256 allow list, which is granular in itself. However, as iterated, when it comes to whitelisting executables, it would depend upon the business used case and alerts around it. 


Windows executables are microsoft signed application executables and because Microsoft is a highly trusted signer, Cortex XDR does not detect and examine it in the pre-exection stages(like Wildfire malware, Local Analysis). 


In the post execution stages, everything is examined as it leverages behavioral execution monitoring for script based, fileless attacks and exploitation events as well. 


We also have a process exception which has the capability to disable select protection modules for Cortex XDR depending upon the choices and used cases. 


Please be apprised all of the above, will be specific to targets and profiles and should be implemented very carefully

what is the right way to enter *.exe files into whitelists, or find the
hash of a file and add that to the whitelist? What is the right way to
handle files to whitelist to avoid malicious files attacking a server? I
am not familiar with the cortex and how they handle malwares.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!