Learn how to use Cortex Cloud Legacy Exception rules to configure an exception to prevention and protection modules on endpoints for selected profiles.
Legacy Exception rules enable you to configure an exception to prevention and protection modules on endpoints for selected profiles.
Items included in allow lists may continue to generate Cortex Cloud security events. If you want to exclude event reporting, configure this on the Issue Exclusions page ( → → ).
Keep in mind the following:
To manage the prevention profile exceptions from Exception Configuration, you must first migrate your existing exceptions configured via the prevention profiles.
Your migrated rules are displayed on the → → page. For more information about the migration, see Exception configuration.
Select → → , and then click + Add Rule.
Select the platform for which you want to create an agent exception.
Select the module for which you want to create an exception. Optionally, select Select all to apply the exception to all profiles for this module or select specific profiles.
Type
Module
Platform
Parameters
Malware
Respond to Malicious Causality Chains
Windows,
MacOS
Add to your allow list specific and known safe IP address or IP address ranges that you do not want Cortex Cloud to block.
Behavioral Threat Protection
Windows, MacOS, Linux
Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Office Files with Micros Examination
Windows
Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Portable Executable and DLL Examination
Windows
Add to your allow list the file or folder path and the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Malicious Child Process Protection
Windows, MacOS, Linux
Add to your allow list the parent processes that can launch child processes to your allow list with optional execution criteria. Specify the allow list criteria including the Parent Process Name, Child Process Name, and Command Line Params. Use ? to match a single character or * to match any string of characters.
Endpoint Scanning
Windows, MacOS, Linux
Add to your allow list the file or folder path and the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
PDF Examination
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Credential Gathering Protection
Windows, MacOS, Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Anti Webshell Protection
Windows, MacOS, Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Financial Malware Threat Protection
Windows, MacOS, Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Cryptominers Protection
Windows, MacOS, Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
In-process Shellcode Protection
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Malicious Device Prevention
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
UAC Bypass Prevention
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Anti Tampering Protection
Windows, MacOS
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
UEFI Protection
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
PowerShell Script Files
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Mach-O Execution Examination
MacOS
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Mach-O Loading Examination
MacOS
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
DMG File Examination
MacOS
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Local File Threat Examination
Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
ELF File Examination
Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Reverse Shell Protection
Linux
Specify the Process Path. Local IP Address and port, and the Remote IP Address and port of the process you want to allow. Use ? to match a single character or * to match any string of characters.
Loaded Kernel Modules Examination
Linux
Add to your allow list the file or folder paths to exclude from evaluation.Use ? to match a single character or * to match any string of characters.
Please note that the exception applies to the kernel module, not the process that loads it.
APK Files Examination
Android
Specify the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
SMS and MMS Malicious URL filtering Allow list
iOS
Add to your allow list and known safe URLs that you do not want Cortex Cloud to block.
Call and Messages Blocking Allow list
iOS
Add to your allow list names and phone numbers of contacts that you do not want Cortex Cloud to block.
Dynamic Kernel Protection
Windows
Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
ASP and ASPX File Examination
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
VB Scripts Examination
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
JScript File Examination
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
LDAP Query Protection
Windows
Add to your allow list specific and known safe IP address or IP address ranges that you do not want Cortex Cloud to block.
Add to your allow list users whom you do not want to block.
Operational Agent Exceptions
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Note
This exception prevents the agent from examining the specified file. Use with caution, as it may unintentionally allow unwanted or malicious behavior to go undetected.
Portable executable files (Windows)
Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Mach-O files (macOS)
Linux
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Restrictions
Executable Files
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Network Location Files
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Optical Drive Files
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Removable Media Files
Windows
Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Exceptions
Process Exceptions
Windows, MacOS, Linux
Add to your allow list the process and the module names to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
Operational Agent Exceptions
Windows
This option excludes any intervention from a given list of processes, which are specified by their full path.
When you create this exception rule, it will disable the following modules:
All anti-exploitation modules for the process.
All anti-malware modules, by disabling triggers such as on-execution, on-load, on-access, on-write, and on-demand.
*Most event collection operations based on tracking the process (*some event collection operations might still occur, such as process events).
Perform these steps:
For Target Properties Process Path, enter the path of the process that you want to exclude, and press ENTER. To add additional processes, repeat this step.
For Scope, select a rule scope.
Global: Apply this rule to all profiles
Profiles (existing or new): Apply this rule to a specific profile, or to multiple profiles. You can create a new profile from here, if necessary.
Go to step 6.
For each module, enter the file or folder path that you want to add to the exception rule, and press ENTER. Repeat this step to add additional paths to the rule.
Select the endpoint profiles to which you want to apply this rule.
Click Next.
Review the rule, and then select the warning message checkbox.
Click Create.
Important
If you don't migrate the legacy exceptions, you can continue to create exceptions through the profiles.