This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XDR Legacy Agent Exception's behavior

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR Legacy Agent Exception's behavior

Go to solution
C.Seokgun
L1 Bithead

‎11-10-2025 04:08 PM

Hi,

We have confirmed through the official manual that XDR does not perform evaluation on files or paths allowed under XDR Legacy Agent Exception.
What I would like to know is whether files covered by a Legacy Agent Exception policy also do not generate alerts.
I would also like to confirm if this behavior is explicitly stated in the official documentation.

Currently, we have observed that even after configuring Alert Exclusions, alerts of the same type continue to appear.
While we could add additional Alert Exclusions, our goal is to use Legacy Agent Exception for items that should be clearly allowed, in order to reduce unnecessary alert counts.

Questions:

  1. Do files/paths configured under a Legacy Agent Exception also prevent alert generation?

  2. Is this behavior officially documented?

Thank you.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
susekar
L2 Linker

‎01-07-2026 07:47 AM

Hello @C.Seokgun ,

 

Greeting for the day.

Whether a Legacy Agent Exception prevents alert generation depends on the specific protection module for which the exception is configured.

1. Do Legacy Agent Exceptions prevent alert generation?

The behavior varies by module:
* Malware Evaluation Modules (e.g., Portable Executable and DLL Examination, Endpoint Scanning): Configuring a Legacy Agent Exception for these modules generally instructs the agent to skip evaluation entirely. In these cases, the exception does prevent both the blocking action and the generation of an alert in the console.
* Behavioral Threat Protection (BTP) and Credential Gathering Protection (DSE): Adding a process or path to the Legacy Agent Exception list for these modules will stop the agent from terminating or blocking the process, but it will not prevent alert generation. Instead, the console will continue to display "Detected (Reported)" alerts to indicate that a potential threat was identified but permitted due to the exception. To fully suppress these alerts, you must create a specific Alert Exception (or Alert Exclusion).

2. Is this behavior officially documented?

Yes, this behavior is explicitly mentioned in official documentation and internal Knowledge Base articles for various modules:
* For the Office Files with Macros Examination module, the manual states: "Adding a process to the allow list doesn’t prevent the generation of a security event".
* General Malware Security Profile documentation notes: "Processes on the allow list will not be terminated by the agent when they are part of a malicious causality chain. Alerts will be triggered regardless".

Additional Recommendations

  • Operational Agent Exception: If your goal is to completely exclude a process or path from all monitoring and intervention (available for Windows agents 8.7+), you should use an Operational Agent Exception. This broad exception disables major Endpoint Protection Modules (EPMs), anti-malware triggers, and most event collection for the specified item, effectively preventing alerts across the board.
  • Alert Exclusion Issues: You mentioned that alerts continue to appear even after configuring Alert Exclusions. This typically occurs if the exclusion criteria (such as the exact process path, command line, or signer) do not perfectly match the data in the generated alert. It is recommended to create the exclusion directly from the alert itself by right-clicking the alert and selecting Manage Alert > Create Alert Exception to ensure matching accuracy.

Exception configuration:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Exception-configu...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VeHCAU

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Happy New Year!!

 

Thanks & Regards,
S. Subashkar Sekar

View solution in original post

1 REPLY 1

Go to solution
susekar
L2 Linker

‎01-07-2026 07:47 AM

Hello @C.Seokgun ,

 

Greeting for the day.

Whether a Legacy Agent Exception prevents alert generation depends on the specific protection module for which the exception is configured.

1. Do Legacy Agent Exceptions prevent alert generation?

The behavior varies by module:
* Malware Evaluation Modules (e.g., Portable Executable and DLL Examination, Endpoint Scanning): Configuring a Legacy Agent Exception for these modules generally instructs the agent to skip evaluation entirely. In these cases, the exception does prevent both the blocking action and the generation of an alert in the console.
* Behavioral Threat Protection (BTP) and Credential Gathering Protection (DSE): Adding a process or path to the Legacy Agent Exception list for these modules will stop the agent from terminating or blocking the process, but it will not prevent alert generation. Instead, the console will continue to display "Detected (Reported)" alerts to indicate that a potential threat was identified but permitted due to the exception. To fully suppress these alerts, you must create a specific Alert Exception (or Alert Exclusion).

2. Is this behavior officially documented?

Yes, this behavior is explicitly mentioned in official documentation and internal Knowledge Base articles for various modules:
* For the Office Files with Macros Examination module, the manual states: "Adding a process to the allow list doesn’t prevent the generation of a security event".
* General Malware Security Profile documentation notes: "Processes on the allow list will not be terminated by the agent when they are part of a malicious causality chain. Alerts will be triggered regardless".

Additional Recommendations

  • Operational Agent Exception: If your goal is to completely exclude a process or path from all monitoring and intervention (available for Windows agents 8.7+), you should use an Operational Agent Exception. This broad exception disables major Endpoint Protection Modules (EPMs), anti-malware triggers, and most event collection for the specified item, effectively preventing alerts across the board.
  • Alert Exclusion Issues: You mentioned that alerts continue to appear even after configuring Alert Exclusions. This typically occurs if the exclusion criteria (such as the exact process path, command line, or signer) do not perfectly match the data in the generated alert. It is recommended to create the exclusion directly from the alert itself by right-clicking the alert and selecting Manage Alert > Create Alert Exception to ensure matching accuracy.

Exception configuration:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Exception-configu...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VeHCAU

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Happy New Year!!

 

Thanks & Regards,
S. Subashkar Sekar

  • 1 accepted solution
  • 1109 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks