This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

susekar
L5 Sessionator

‎02-03-2026 09:02 AM

Hello @tlmarques ,

 

Greetings for the day.

 

Yes, it is possible to block older versions of Notepad++ while allowing only version 8.9.1, but this must be achieved through SHA256 hashes rather than a simple version number toggle, as Cortex XDR does not natively support blocking based solely on application version strings.

 

To allow only version 8.9.1 and block all other versions (installation and execution), you should use a combination of Restriction Profiles and Hash Control.

Recommended Implementation Steps

1. Obtain the Required Hashes

Identify the SHA256 hashes for the Notepad++ version 8.9.1 executable (notepad++.exe) and its specific installer (for example, npp.8.9.1.Installer.x64.exe).
The global Block List supports Windows PE, PE64, and DLL files, which includes the standard Notepad++ binaries.

2. Configure a Restriction Profile (Block by Name)

Instead of manually adding large numbers of older hashes to a global block list, use a Restriction Profile to block the application by filename and then create an exception for your allowed version.

  • Navigate to Policy > Prevention Profiles > Restrictions

  • Create a new profile and add notepad++.exe and npp.*.Installer*.exe to the Executables block list

This blocks the execution of any file with these names regardless of version.

3. Create an Exception for Version 8.9.1 (Allow by Hash)

Explicitly allow the hash of version 8.9.1 so it overrides the restriction.

  • Navigate to Policy > Prevention and select the policy group for your endpoints

  • Go to the Exceptions tab and add a Disable Prevention Rule

  • Configure the rule to target the SHA256 hash of the 8.9.1 executable and installer

Alternatively, you can use Malware Profile > Allow List to add the 8.9.1 hash.

4. Use the Global Block List for Known Older Hashes (Optional)

If you have specific older versions you want to ensure are blocked even if renamed:

  • Navigate to Response > Action Center > New Action > Add to Block List

  • Enter the SHA256 hashes of the older Notepad++ versions

Warning: Hashes added to the global Block List are enforced universally across all endpoints in the tenant and take precedence over most other policy rules.

Critical Limitations to Consider

  • MSI Installers: Cortex XDR’s Hash Block List in the Action Center does not currently support blocking .msi files by SHA256 hash. If the Notepad++ versions are distributed as .msi packages, the hash-based block will not trigger. You must rely on filename or path restrictions in a Restriction Profile for these files.

  • Size Limits: For agent versions 8.1 and below, there is a 100 MB limit for hash calculations; files exceeding this size will not be matched against the block list. Most Notepad++ binaries are well under this limit.

Verification on the Endpoint

You can verify whether the block and allow lists are correctly applied to a local Windows endpoint by running the following command in an Administrator command prompt:

"%ProgramFiles%\Palo Alto Networks\Traps\cytool.exe" persist print hash_overrides.db

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

 

 

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks