can manage file execution on your endpoints using file hashes included
in your allow and block lists. If you trust a certain file and know
it to be benign, you can add the file hash to the allow list and
allow it to be executed on all your endpoints regardless of the
WildFire or local analysis verdict. Similarly, if you want to always
block a file from running on any of your endpoints, you can add
the associated hash to the block list. Adding files to the block
list or allow list takes precedence of any other policy rules that
may have otherwise been applied to these files. In the
in Cortex XDR, you can monitor block list and
allow list actions performed in your networks and add/remove file
from these lists.
Log in to Cortex
+ New Action
Add to Block List
to Allow List
Enter the SHA256 hash of the file and click
You can add up to 100 file hashes at once. You can add
a comment that will be added to all the hashes you added in this
Review the summary and click
In the next heart beat, the agent will retrieve the updated
lists from Cortex XDR.
You are automatically redirected to the
to the action in the
To manage the file hashes on the
, right-click the file and
select one of the following:
—The file hash remains
on the list but will not be applied on your Cortex XDR agents.
Move to Block List
to Allow List
—Removes this file hash from the current
list and adds it to the opposite one.
Edit Incident ID
—Select to either
to existing incident
Remove incident link
—Enter a comment.
—Delete the file hash from the
list altogether, meaning this file hash will no longer be applied
to your endpoints.
Open in VirusTotal
—Directs you to
the VirusTotal analysis of this hash.
Cortex XDR Pro License only)
—Pivot the hash view of the hash.
Open in Quick Launcher
—Open the quick
launcher search results for the hash.