Manage File Execution

From the Cortex® XDR™ management console, you can set rules for the execution (or running) of particular files on your endpoints.
You can manage file execution on your endpoints by using file hashes that are included in your allow and block lists. If you trust a certain file and know it to be benign, you can add the file hash to the allow list and allow it to be executed on all your endpoints regardless of the WildFire® or local analysis verdict. Similarly, if you want to always block a file from running on any of your endpoints, you can add the associated hash to the block list.
Adding files to the block list or allow list takes precedence of any other policy rules that may have otherwise been applied to these files. In the
Action Center
in Cortex XDR, you can monitor block list and allow list actions performed in your networks and add/remove file from these lists.
Supported file types are:
Operating System
Supported File Types
  • PE, PE64
  • doc, docx, xls, xlsx (only if they contain macro files)
macho, DMG
  1. Log in to Cortex XDR.
    Go to
    Action Center
    + New Action
  2. Select either
    Add to Block List
    Add to Allow List
  3. Enter the SHA-256 hash of the file and click .
    You can add up to 100 file hashes at once. You can add a comment that will be added to all the hashes you added in this action.
  4. Click
  5. Review the summary and click
    In the next heart beat, the agent will retrieve the updated lists from Cortex XDR.
  6. You are automatically redirected to the
    Block List
    Allow List
    that corresponds to the action in the
    Action Center
  7. To manage the file hashes on the
    Block List
    or the
    Allow List
    , right-click the file and select one of the following:
    • Disable
      —The file hash remains on the list but will not be applied on your Cortex XDR agents.
    • Move to Block List
      Move to Allow List
      —Removes this file hash from the current list and adds it to the opposite one.
    • Edit Incident ID
      —Select to either
      Link to existing incident
      Remove incident link
    • Edit Comment
      —Enter a comment.
    • Delete
      —Delete the file hash from the list altogether, meaning this file hash will no longer be applied to your endpoints.
    • Open in VirusTotal
      —Directs you to the VirusTotal analysis of this hash.
    • (
      Cortex XDR Pro License only)
      Open Hash View
      —Pivot the hash view of the hash.
    • Open in Quick Launcher
      —Open the quick launcher search results for the hash.

Recommended For You