11-19-2025 07:39 AM
We have internally developed scripts that we would like to create XDR exclusions or alert level reduction for based on if they contain code signing certificates. I don't know how to go about doing this or if it's even possible.
The idea here is to not need to update exclusions based on hashes any time the scripts are changed and to be more secure than filepath based exclusions.
Thanks in advance!
01-06-2026 12:18 PM
Hello @M.Crow ,
Greetings for the day!
Yes, it is possible to create exclusions and reduce alert levels in Cortex XDR based on digital code signing certificates. This approach allows you to trust internally developed tools without relying on fluctuating file hashes or broad path-based exclusions.
There are three primary methods to achieve this, depending on which protection module is flagging your scripts:
This is the most direct way to prevent the Portable Executable (PE) and DLL Examination and Digital Signer Restriction modules from blocking your signed files.
* Module Scope: This primarily applies to compiled executables (.exe) and DLLs.
* Procedure:
1. Identify the exact Trusted Signer Name from the alert details or file properties on the endpoint.
2. In the Cortex XDR console, navigate to Endpoints > Policy Management > Prevention Profiles > Malware.
3. Edit your active Malware profile.
4. Under Portable Executable and DLL Examination, find the ALLOW LIST SIGNERS section and click + ADD.
5. Enter the exact signer name and save the profile.
For alerts triggered by Behavioral Threat Protection (BTP) or specific Exploit modules, you can create a "Disable Prevention Rule" to allow the activity based on the signer.
* Granular Control: You can target specific rules (like a specific BTP rule) and exclude them only when the signer matches.
* Procedure:
1. Navigate to Settings > Exception Configuration > Disable Prevention Rule.
2. Click Add Rule.
3. In the Scope, select the module or specific rule ID causing the block.
4. In the Target Properties, select Signer and enter the name of your internal certificate.
If you want the scripts to run but simply wish to suppress or hide the alerts in the management console (reducing "noise"), you can use Alert Exclusions.
* Procedure:
1. Navigate to Settings > Exception Configuration > Alert Exclusions.
2. Create a rule where the Signer property matches your certificate.
3. This will hide future matching alerts from the Alert Table and prevent them from generating incidents, while still allowing the agent to monitor the activity.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
01-07-2026 08:33 AM
This is wonderfully helpful, thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
