Add a Legacy Exception Rule - Administrator Guide - Cortex XDR - Cortex

Add a Legacy Exception Rule - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-03-22

Last date published

2023-09-25

Category

Administrator Guide

Legacy Exception rules enable you to configure an exception to prevention and protection modules on endpoints for selected profiles.

Prior to Cortex XDR version 3.5, Legacy Exceptions were configured through profiles.

Starting with version 3.5, Cortex XDR enables you to manage the Malware Security exceptions from a central location and easily apply them across multiple profiles in the Legacy Agent Exceptions Management page.

To manage the prevention profile exceptions from Exception Configuration, you must first migrate your existing exceptions configured via the Prevention profiles.

Your migrated rules are displayed on the Settings → Exception Configurations → Legacy Agent Exceptions page. For more information about the migration, see Exception Configuration.

Create a new Legacy Exception rule.

From Settings → Exception Configurations → Legacy Agent Exceptions, + Add Rule.
Select the platform for which you want to create an agent exception.
Select the Module for which you want to create an exception.

For each module, specify the following parameters.

Type	Module	Platform	Parameters
Malware	Respond to Malicious Causality Chains	Windows	Add to your allow list specific and known safe IP address or IP address ranges that you do not want Cortex XDR to block.
	Behavioral Threat Protection	Windows, MacOS, Linux	Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Office Files with Micros Examination	Windows	Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Portable Executable and DLL Examination	Windows	Add to your allow list the file or folder path and the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Malicious Child Process Protection	Windows	Add to your allow list the parent processes that can launch child processes to your allow list with optional execution criteria. Specify the allow list criteria including the Parent Process Name, Child Process Name, and Command Line Params. Use ? to match a single character or * to match any string of characters.
	Ransomware Protection	Windows	Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Endpoint Scanning	Windows, MacOS, Linux	Add to your allow list the file or folder path and the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Credential Gathering Protection	Windows, MacOS, Linux	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Anti Webshell Protection	Windows, MacOS, Linux	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Financial Malware Threat Protection	Windows, MacOS, Linux	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Cryptominers Protection	Windows, MacOS, Linux	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	In-process Shellcode Protection	Windows	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Malicious Device Prevention	Windows	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	UAC Bypass Prevention	Windows	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Anti Tampering Protection	Windows, MacOS	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Mach-o Files Examination	MacOS	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	DMG File Examination	MacOS	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Local File Threat Examination	Linux	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	ELF File Examination	Linux	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Reverse Shell Protection	Linux	Specify the Process Path. Local IP Address and port, and the Remote IP Address and port of the process you want to allow. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	APK Files Examination	Android	Specify the signers you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	SMS and MMS Malicious URL filtering Allow list	iOS	Add to your allow list and known safe URLs that you do not want Cortex XDR to block.
	Call and Messages Blocking Allow list	iOS	Add to your allow list names and phone numbers of contacts that you do not want Cortex XDR to block.
	Dynamic Kernel Protection	Windows	Add to your allow list the file or folder path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
Restrictions	Executable Files	Windows	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Network Location Files	Windows	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Optical Drive Files	Windows	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
	Removable Media Files	Windows	Add to your allow list the file or folder paths to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
Exceptions	Process Exceptions	Windows, MacOS, Linux	Add to your allow list the process and the module names to exclude from evaluation. Use ? to match a single character or * to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.

Select all to apply the exception to all profiles for this module or select specific profiles.

Important

If you don't migrate the legacy exceptions, you can continue to create exceptions through the profiles.