This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XDR allwoing blocked files to run

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XDR allwoing blocked files to run

Aiman_Fathima
L2 Linker

‎07-13-2022 01:45 AM - edited ‎07-13-2022 01:47 AM

Hello,

Even though we have added the file hash to the BLOCK LIST, XDR still alllows the process to run. Does someone know  the reason for why this is occuring. 

0 Likes Likes
3 REPLIES 3

jtalton
L3 Networker

‎07-13-2022 01:06 PM

Hello Aiman_Fathima, 

 

Blocking files on endpoints is also enforced by the endpoint malware profile. Please ensure that your Malware Security Profile is set to block mode.

 

In Action Center, on the Block list page, you may select Override Report mode to allow the agent to block hashes even if the Malware Profile is set to Report.

 

  • Please check Action Center to confirm the file hash is in the Block List: Incident Response >Response> Action Center > Block List
  • Select Override Report mode to allow the agent to block hashes even if the Malware Profile is set to Report.

jtalton_0-1657742510878.png

 

If all is configured, please open a support case for troubleshooting. 

Reference

Endpoint Security Profiles (paloaltonetworks.com)

Add a New Malware Security Profile (paloaltonetworks.com)

 

Thanks

If you found this answer helpful, please select Accept as Solution.
(1)

Aiman_Fathima
L2 Linker
In response to jtalton

‎07-15-2022 01:35 AM

Thank you

Cyber1985
L3 Networker
In response to Aiman_Fathima

‎07-20-2022 08:35 AM

Was this your solution? From our expierience you should watch out if this hash/File is not in the Quarantäne. In some of our cases the computer needs a restart to work. 

It would be nice to know, how we can check, if this blocked hash is updaten to the Client. 

 

BR 

 

Rob

0 Likes Likes
  • 2533 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks