Blacklist

EDR Agents immediately identify files on the blacklist and block them from executing, based on the policy. Files on the blacklist are defined by their SHA1 hash.

View the Blacklist

  • Each EDR Policy has its own blacklist items, as well as inheriting those from the Default Group EDR Policy

To see blacklist items:

  1. Open the EDR Policy
  2. Select the Blacklist tab
  3. You see the blacklist of the selected EDR Policy

You can add a hash to the blacklist manually, or add it to the blacklist automatically after it shows in your Management Console.

When you run a mitigation action on a threat, you have an option to add that threat to the blacklist at the same time.

Adding to the Blacklist

To add a file to the blacklist before it enters your network:

You must know the SHA1 hash of the file:

  1. Edit the Policy to add the SHA1 blacklist item to
  2. Navigate to the Blacklist tab
  3. Click Add new
  4. The New Binary dialog opens:
    • In the OS field, select the OS from the drop-down menu that this file will be blocked on
    • In the SHA1 field, enter the SHA1 hash of the file to be blocked
    • In the Description field, enter a phrase to make it easy for you and other console users to identify this file
  5. Click Save

 

To add a file to the blacklist after it is marked as suspicious or a threat:

  1. In the RMM left Nav bar, select Integrations > EDR > Analyze
  2. Select one or more threats or suspicious items
  3. Click Threat Actions > Add To Blacklist
  4. If the selected detection is Suspicious, select Mark as Threat to add the item to the blacklist and mark it as a threat

  5. In the Add to Blacklist window, the OS, SHA1 hash, Scope, and Description are taken automatically from the threat or threats selected

  6. If multiple threats were selected with different values, it shows According to selected threats

    The Analyst Verdict of the threat is automatically changed to True Positive when you add it to the blacklist

  7. Click Save