From the Cortex® XDR™ management console, you can set
rules for the execution (or running) of particular files on your
can manage file execution on your endpoints by using file hashes
that are included in your allow and block lists. If you trust a
certain file and know it to be benign, you can add the file hash
to the allow list and allow it to be executed on all your endpoints
regardless of the WildFire® or local analysis verdict. Similarly,
if you want to always block a file from running on any of your endpoints,
you can add the associated hash to the block list.
files to the block list or allow list takes precedence of any other
policy rules that may have otherwise been applied to these files.
in Cortex XDR, you can
monitor block list and allow list actions performed in your networks
and add/remove file from these lists.
Supported file types
Supported File Types
doc, docx, xls, xlsx (only if they contain macro files)
Log in to Cortex
+ New Action
Add to Block List
to Allow List
Enter the SHA-256 hash of the file and click
You can add up to 100 file hashes at once. You can add
a comment that will be added to all the hashes you added in this
Review the summary and click
In the next heart beat, the agent will retrieve the updated
lists from Cortex XDR.
You are automatically redirected to the
to the action in the
To manage the file hashes on the
, right-click the file and
select one of the following:
—The file hash remains
on the list but will not be applied on your Cortex XDR agents.
Move to Block List
to Allow List
—Removes this file hash from the current
list and adds it to the opposite one.
Edit Incident ID
—Select to either
to existing incident
Remove incident link
—Enter a comment.
—Delete the file hash from the
list altogether, meaning this file hash will no longer be applied
to your endpoints.
Open in VirusTotal
—Directs you to
the VirusTotal analysis of this hash.
Cortex XDR Pro License only)
—Pivot the hash view of the hash.
Open in Quick Launcher
—Open the quick
launcher search results for the hash.