02-03-2026 07:27 AM
Guys,
Does anyone know if it is possible to block the hashes associated with older versions of Notepad++?
My goal is to allow only Notepad++ version 8.9.1 to be executed, and to block the installation and execution of all other versions.
02-03-2026 09:02 AM
Hello @tlmarques ,
Greetings for the day.
Yes, it is possible to block older versions of Notepad++ while allowing only version 8.9.1, but this must be achieved through SHA256 hashes rather than a simple version number toggle, as Cortex XDR does not natively support blocking based solely on application version strings.
To allow only version 8.9.1 and block all other versions (installation and execution), you should use a combination of Restriction Profiles and Hash Control.
Identify the SHA256 hashes for the Notepad++ version 8.9.1 executable (notepad++.exe) and its specific installer (for example, npp.8.9.1.Installer.x64.exe).
The global Block List supports Windows PE, PE64, and DLL files, which includes the standard Notepad++ binaries.
Instead of manually adding large numbers of older hashes to a global block list, use a Restriction Profile to block the application by filename and then create an exception for your allowed version.
Navigate to Policy > Prevention Profiles > Restrictions
Create a new profile and add notepad++.exe and npp.*.Installer*.exe to the Executables block list
This blocks the execution of any file with these names regardless of version.
Explicitly allow the hash of version 8.9.1 so it overrides the restriction.
Navigate to Policy > Prevention and select the policy group for your endpoints
Go to the Exceptions tab and add a Disable Prevention Rule
Configure the rule to target the SHA256 hash of the 8.9.1 executable and installer
Alternatively, you can use Malware Profile > Allow List to add the 8.9.1 hash.
If you have specific older versions you want to ensure are blocked even if renamed:
Navigate to Response > Action Center > New Action > Add to Block List
Enter the SHA256 hashes of the older Notepad++ versions
Warning: Hashes added to the global Block List are enforced universally across all endpoints in the tenant and take precedence over most other policy rules.
MSI Installers: Cortex XDR’s Hash Block List in the Action Center does not currently support blocking .msi files by SHA256 hash. If the Notepad++ versions are distributed as .msi packages, the hash-based block will not trigger. You must rely on filename or path restrictions in a Restriction Profile for these files.
Size Limits: For agent versions 8.1 and below, there is a 100 MB limit for hash calculations; files exceeding this size will not be matched against the block list. Most Notepad++ binaries are well under this limit.
You can verify whether the block and allow lists are correctly applied to a local Windows endpoint by running the following command in an Administrator command prompt:
"%ProgramFiles%\Palo Alto Networks\Traps\cytool.exe" persist print hash_overrides.db
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-03-2026 09:27 AM
thanks for your help , you give me a good ideas.
maybe the best solutions for this time is block the HASH related with old versions....the best way to get that hashes is XQL? @susekar ??
because my objective, is only allow the last version...now, is 8.9.1....in the future , when launch 9.X for example, i'll block 8.9.1...
02-04-2026 04:46 AM
Hello @tlmarques ,
Thank you for the response.
Yes, using XQL (Cortex Query Language) is one of the most effective ways to retrieve the SHA256 hashes of specific software versions that have been seen in your environment. Since Cortex XDR cannot natively block applications based solely on a version string, you must identify the specific hashes associated with those older versions and add them to a block list.
You can use either the files dataset (which leverages Host Insights data) or the xdr_data dataset (which contains historical event logs) to find hashes linked to specific file names and versions.
Note:
This query requires the Host Insights add-on to be active.
dataset = files
| filter file_name == "your_executable_name.exe"
| fields sha256, file_name, file_version, vendor, last_seen
| dedup sha256
dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_file_name == "your_executable_name.exe"
| fields action_file_sha256, action_file_name, os_actor_process_command_line, agent_hostname
| dedup action_file_sha256
Note: In the xdr_data dataset, the version might not always be available as a standalone field. You may need to inspect action_file_path or os_actor_process_command_line if the version is embedded in the directory structure or command line.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
