Restrictions prevention profiles limit where executables can run on an endpoint.
Restrictions prevention profiles limit the locations from which executables can run on an endpoint.
By default, the Cortex XDR agent receives a default profile that contains a pre-defined configuration for each restriction capability. The default setting for each capability is shown in parentheses in the user interface. To fine-tune your restrictions prevention policy, you can override the default configuration of each capability as follows. For each setting that you override, clear the Use Default option, and select the setting of your choice.
Block: Block file execution.
Notify: Allow file execution, but notify the user that the file is attempting to run from a suspicious location. The Cortex XDR agent also reports the event to Cortex XDR.
Report: Allow file execution, but report it to Cortex XDR.
Disabled: Disable the module, and do not analyze or report execution attempts from restricted locations.
To customize the configuration for specific Cortex XDR agents, configure a new restrictions prevention profile and assign it to one or more policy rules. You can restrict files from running from specific local folders, or from removable media.
Add a new profile and define basic settings.
From Cortex XDR, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Windows platform, and Restrictions as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure Executable Files to restrict file execution to pre-defined locations.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from outside the pre-defined locations, it performs the configured action.
To add files or folders to the Block List, click +Add, enter the path, and press Enter. To add more files or folders, click +Add again.
You can use a wildcard to match a partial name for the folder and environment variables.
Use
?
to match any single character, or*
to match any string of characters.To match a folder, you must terminate the path with * to match all files in the folder (for example,
c:\temp\*
).
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Network Location Files to restrict access to all network locations except for explicitly trusted ones.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from network locations that are not trusted, it performs the configured action.
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Removable Media Files to restrict file execution launched from external drives that are attached to endpoints in your network.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from removable media,it performs the configured action.
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Optical Drive Files to restrict file execution launched from optical disc drives that are attached to endpoints in your network.
Item
Option
More details
Action Mode
Block
Notify
Report
Disabled
When the Cortex XDR agent detects execution of files from an optical disc drive, it performs the configured action.
To add files or folders to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Custom Prevention Rules.
Item
Option
More details
Action Mode
Enabled
Disabled
When user-defined BIOC prevention rules are present in the system, you can enable them here.
Note
Configure custom BIOC prevention rules here:
Detection Rules → BIOC
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XDR, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the macOS platform, and Restrictions as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure Custom Prevention Rules.
Item
Option
More details
Action Mode
Enabled
Disabled
When user-defined BIOC prevention rules are present in the system, you can enable them here.
Note
Configure custom BIOC prevention rules here:
Detection Rules → BIOC
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XDR, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile or import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Linux platform, and Restrictions as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure Custom Prevention Rules.
Item
Option
More details
Action Mode
Enabled
Disabled
When user-defined BIOC prevention rules are present in the system, you can enable them here.
Note
Configure custom BIOC prevention rules here:
Detection Rules → BIOC
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.