How to check FILES / FOLDERS IN ALLOW LIST for "Portable Executable and DLL Examination" is applied to an endpoint properly at the endpoint side or from the support file

How to check FILES / FOLDERS IN ALLOW LIST for "Portable Executable and DLL Examination" is applied to an endpoint properly at the endpoint side or from the support file

556
Created On 06/18/24 06:00 AM - Last Modified 10/28/25 21:34 PM


Objective


Here are the steps to check FILES / FOLDERS IN ALLOW LIST for "Portable Executable and DLL Examination" is applied to an endpoint properly at the endpoint side or from the support file.

Environment


Cortex XDR

Procedure


Here are the steps for Windows OS and the support file. The used cytool command is same for MacOS and Linux. Please check how to run the cytool on each OS accordingly if not sure.

 

  1. Start a command prompt as Administrator
  2. Run the command "cytool persist print" for agent_settings.db and enter supervisor password if required
    NOTE: For Support file, please specify agent_settings.db in the unzipped support file. 
    "%ProgramFiles%\Palo Alto Networks\Traps\cytool.exe" persist print agent_settings.db
  3. Check whitelistFolders of examinePortableExecutables 
    {"mode":"block","type":"examinePortableExecutables","settings":{"whitelistFolders":["\FOLDER1\*","\FOLDER2\*","\FOLDER3\*"],"verdicts":{"unknown":{"block":false,"localAnalysis":false},"benignLowConfidence":{"block":false,"localAnalysis":false}},"quarantineLocalAnalysis":false,"whitelistSigners":[],"upload":false,"localAnalysis":false,"quarantine":false,"unknownVerdicts":false,"grayware":false}},
    Here, the 3 folders : "\FOLDER1\*","\FOLDER2\*","\FOLDER3\*" are set as FILES / FOLDERS IN ALLOW LIST for "Portable Executable and DLL Examination".
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scNQCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail