Configure TDR Signature Overrides

You can specify signature overrides in your TDR configuration for specific files and processes. To specify an override, you can add the MD5 values of files or processes so that TDR considers the file as either safe or malicious. For each signature override you specify, you can select whether to add it to the Allowlist. There are two types of signature overrides:


An allowlist override identifies a file or process that you consider safe and do not want TDR to scan or mitigate (for example to perform the kill or quarantine actions). Existing indicators for files added to the allowlist are assigned a score of 0. TDR does not create new indicators for files that match the MD5 value in an allowlist override.

To add an allowlist signature override, in the signature override settings, select the Allowlist check box.


A threatlist override identifies a file or process that you want TDR to always consider a threat. A signature override applies only after you add it and does not affect the score of that MD5 if it has been detected in the past. Indicators for files on the threatlist are assigned a threat score of 8 if the Host Sensor does not take action to mitigate the threat.

To add a threat signature override, in the signature override settings, make sure the Allowlist check box is not selected.

To add a file that was identified in a previous indicator to the override list, copy the MD5 value for the file from the Indicators page.

To see the MD5 value for an indicator:

  1. In the Indicator column, find the indicator.
  2. Click Additional Information.

To find the MD5 value of any file, you can also use an MD5 file hash calculator utility.

If you execute an action to remove a file from quarantine, the system automatically adds the MD5 value for that file to the Allowlist.

Search for MD5 in Threatlist and Allowlist

On the Signature Overrides page, you can search for a MD5 to see if it is on the Threatlist or Allowlist.

Add a Signature Override

To add a signature override you must log in as an Analyst.

Back Up or Import Signature Overrides

You can save a backup of all signature overrides to an .XML file. To add the signature overrides to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to easily copy signature overrides configured in one managed customer account to another managed account. To avoid duplicate overrides, the imported signature overrides are merged with the existing list of signature overrides.

To import signature overrides from a saved signature overrides .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box opens.
  3. Click Import.
    The signature overrides from the file are added to th Signature Overrides list.

Edit or Remove a Signature Override

To edit a signature override:

  1. At the left side of the column, click the arrow.
    The Edit Signature Overrides dialog box opens.

Screen shot of the Edit Signature Override dialog box

  1. Edit the settings.
  2. Click Save & Close.
    The change is saved, and the Edit settings collapse.

To remove a signature override:

  1. In the row of the signature override to remove, click .
  2. Click Remove Signature Override.
  3. Click Yes, Delete.