Restrictions prevention profiles limit where executables can run on an endpoint.
Restrictions prevention profiles limit the locations from which executables can run on an endpoint.
By default, the Cortex XDR agent receives a default profile that contains a pre-defined configuration for each restriction capability. The default setting for each capability is shown in parentheses in the user interface. To fine-tune your restrictions prevention policy, you can override the default configuration of each capability as follows. For each setting that you override, clear the Use Default option, and select the setting of your choice.
Block: Block file execution.
Notify: Allow file execution, but notify the user that the file is attempting to run from a suspicious location. The Cortex XDR agent also reports the event to Cortex XDR.
Report: Allow file execution, but report it to Cortex XDR.
Disabled: Disable the module, and do not analyze or report execution attempts from restricted locations.
To customize the configuration for specific Cortex XDR agents, configure a new restrictions prevention profile and assign it to one or more policy rules. You can restrict files from running from specific local folders, or from removable media.
Add a new profile and define basic settings.
From Cortex XDR, select Inventory → Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Windows platform, and Restrictions as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include a case identification number or a link to a help desk ticket.
Configure Executable Files to restrict file execution to pre-defined locations.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from outside the pre-defined locations, it performs the configured action.
To add files or folders to the Block List, click +Add, enter the path, and press Enter. To add more files or folders, click +Add again.
You can use a wildcard to match a partial name for the folder and environment variables.
Use
?to match any single character, or*to match any string of characters.To match a folder, you must terminate the path with * to match all files in the folder (for example,
c:\temp\*).
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Network Location Files to restrict access to all network locations except for explicitly trusted ones.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from network locations that are not trusted, it performs the configured action.
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Removable Media Files to restrict file execution launched from external drives that are attached to endpoints in your network.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from removable media,it performs the configured action.
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Optical Drive Files to restrict file execution launched from optical disc drives that are attached to endpoints in your network.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from an optical disc drive, it performs the configured action.
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Custom Prevention Rules.
Item
Option
More details
Action Mode
Enabled
Disabled
When user-defined BIOC prevention rules are present in the system, you can enable them here. Ensure that the user-defined BIOC prevention rules that you want to enable only contain the following:
Investigation types:
file_event
process_execution
remote_code_execution
network_event
windows_event_log
module_event
Subtypes:
file_event
network_event
registry_event
windows_event_log
Other event subtypes are not supported here, and rules containing them will not be available for selection.
Note
Configure custom BIOC prevention rules here:
Detection Rules → BIOC
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Inventory → Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XDR, select Inventory → Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the macOS platform, and Restrictions as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include a case identification number or a link to a help desk ticket.
Configure Custom Prevention Rules.
Item
Option
More details
Action Mode
Enabled
Disabled
When user-defined BIOC prevention rules are present in the system, you can enable them here. Ensure that the user-defined BIOC prevention rules that you want to enable only contain the following:
Investigation types:
file_event
process_execution
remote_code_execution
network_event
windows_event_log
module_event
Subtypes:
file_event
network_event
registry_event
windows_event_log
Other event subtypes are not supported here, and rules containing them will not be available for selection.
Note
Configure custom BIOC prevention rules here:
Detection Rules → BIOC
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Inventory → Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XDR, select Inventory → Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Linux platform, and Restrictions as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include a case identification number or a link to a help desk ticket.
Configure Custom Prevention Rules.
Item
Option
More details
Action Mode
Enabled
Disabled
When user-defined BIOC prevention rules are present in the system, you can enable them here. Ensure that the user-defined BIOC prevention rules that you want to enable only contain the following:
Investigation types:
file_event
process_execution
remote_code_execution
network_event
windows_event_log
module_event
Subtypes:
file_event
network_event
registry_event
windows_event_log
Other event subtypes are not supported here, and rules containing them will not be available for selection.
Note
Configure custom BIOC prevention rules here:
Detection Rules → BIOC
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Inventory → Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
The profile configuration for serverless functions provides runtime protection across processes, networking and file type resources in your cloud environment.
The configuration of each of the resources is based on allow/deny lists.
Denied list (default): The system allows all resources to go through.
Denied with exceptions: The system allows all resources to go through except those specified in the list.
Allowed list : The system denies all resources to go through.
Allowed with exceptions: The system denies all resources to go through except those specified in the list.
Add a new profile and define basic settings.
From Cortex XDR, select Inventory → Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Serverless Function platform, and Restrictions as the profile type and then click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description.
Configure Restrictions.
Item
Method
Setting details
Process List
Allowed list
Denied list
Add process
Example 85.curlNetworking
Allowed list
Denied list
Listing Ports
Add ports
Example 86.8080 8080-8083 - for range
Outbound Internet Ports
Add ports
Example 87.22 22-25 - for range
Outbound IPs
Add IPs
Example 88.198.51.100.0/24 198.51.100.1
Domains
Add domains
Example 89.example.com *ample.co* * - for all domains.
Note
Wildcards are supported.
Files & Folders
Allowed list
Denied list
Add file paths and/or folders
Example 90./tmp/example/
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Inventory → Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Inventory → Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.