11-11-2021 06:30 AM
Hi Enewman,
typically the signer block list is maintained by PANW team and it is distributed via content updates.
The way to block a process by the customers is to block the hash as you have done. The hash will be checked before the WF verdict so it will prevail before WF check.
An indirect way to create a signer block is the following:
You create a custom BIOC for this signer and then you push it on to a restriction profile.
This way the process will execute but inmediately the behavioural threat protection will kick in and block & kill the process
I hope this helps, like it please if it was useful
Have Fun with it,
Luis
