Endpoint Protection - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

This topic provides an overview of traditional endpoint protection versus the protection of endpoints using Cortex XDR.

Cyberattacks target endpoints to inflict damage, steal information or achieve other goals that involve taking control of computer systems. Attackers perpetrate cyberattacks either by causing a user to unintentionally run a malicious executable file, known as malware, or by exploiting a weakness in a legitimate executable file to run malicious code behind the scenes without the knowledge of the user.

One way to prevent these attacks is to identify executable files, dynamic-link libraries (DLLs), and other pieces of code to determine if they are malicious and, if so, to prevent the execution of these components by first matching each potentially dangerous code module against a list of specific, known threat signatures. The weakness of this method is that it is time-consuming for signature-based antivirus (AV) solutions to identify newly created threats that are known only to the attacker (also known as zero-day attacks or exploits) and add them to the lists of known threats, which leaves endpoints vulnerable until signatures are updated.

Cortex XDR takes a more efficient and effective approach to prevent attacks that eliminates the need for traditional AV. Rather than try to keep up with the ever-growing list of known threats, Cortex XDR sets up a series of roadblocks—also referred to as traps—that prevent the attacks at their initial entry points—the point where legitimate executable files are about to unknowingly allow malicious access to the system.

Cortex XDR provides a multi-method protection solution with exploit protection modules that target software vulnerabilities in processes that open non-executable files and malware protection modules that examine executable files, DLLs, and macros for malicious signatures and behavior. Using this multi-method approach, Cortex XDR can prevent all types of attacks, whether these are known or unknown threats.

cortex-xdr-multi-method-prevention.png

Exploit Protection Overview

An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use these exploits to access and use a system to their advantage. Blocking any attempt to exploit a vulnerability in the chain will block the entire exploitation attempt.

To combat an attack in which an attacker takes advantage of a software exploit or vulnerability, Cortex XDR employs Endpoint Protection Modules (EPM). Each EPM targets a specific exploit type in the attack chain. Some capabilities that Cortex XDR EPMs provide are reconnaissance prevention, memory corruption prevention, code execution prevention, and kernel protection.

Malware Protection Overview

Malicious files, known as malware, are often disguised as or embedded in non-malicious files. These files can attempt to gain control, gather sensitive information, or disrupt the normal operations of the system. Cortex XDR prevents malware by employing the Malware Prevention Engine. This approach combines several layers of protection to prevent both known and unknown malware from causing harm to your endpoints. The mitigation techniques that the Malware Prevention Engine employs vary by endpoint type.

Malware Protection for Windows
  • WildFire integration—Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence.

  • Local static analysis—Enables Cortex XDR to use machine learning to analyze unknown files and issue a verdict. Cortex XDR uses the verdict returned by the local analysis module until it receives a verdict from Cortex XDR.

  • DLL file protection—Enables Cortex XDR to block known and unknown DLLs on Windows endpoints.

  • Office file protection—Enables Cortex XDR to block known and unknown macros when run from Microsoft Office files on Windows endpoints.

  • Behavioral threat protection (Windows 7 SP1 and later versions)—Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as causality chains. This enables Cortex XDR to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.0 or a later release.

  • Evaluation of trusted signers—Permits unknown files that are signed by highly trusted signers to run on the endpoint.

  • Malware protection modules—Target behaviors—such as those associated with ransomware—and enables you to block the creation of child processes.

  • Policy-based restrictions—Enables you to block files from executing from within specific local folders, network folders, or external media locations.

  • Periodic and automated scanning—Enables you to block dormant malware that has not yet attempted to execute on endpoints.

Malware Protection for Mac
  • WildFire integration—Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence.

  • Local static analysis—Enables Cortex XDR to use machine learning to analyze unknown files and issue a verdict. The Cortex XDR agent uses the verdict returned by the local analysis module until it receives the WildFire verdict from Cortex XDR.

  • Behavioral threat protection—Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as causality chains. This enables the Cortex XDR agent to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.1 or a later release.

  • Mach-O file protection—Enables you to block known malicious and unknown mach-o files on Mac endpoints.

  • DMG file protection—Enables you to block known malicious and unknown DMG files on Mac endpoints.

  • Evaluation of trusted signers—Permits unknown files that are signed by trusted signers to run on the endpoint.

  • Periodic and automated scanning—Enables you to block dormant malware that has not yet attempted to execute on endpoints.

Malware Protection for Linux
  • WildFire integration—Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence. WildFire integration requires Traps agent 6.0 or a later release.

  • Local static analysis—Enables the Cortex XDR agent to use machine learning to analyze unknown files and issue a verdict. The Cortex XDR agent uses the verdict returned by the local analysis module until it receives the WildFire verdict from Cortex XDR. Local analysis requires Traps agent 6.0 or a later release.

  • Behavioral threat protection—Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as causality chains. This enables Cortex XDR to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.1 or a later release.

  • ELF file protection—Enables you to block known malicious and unknown ELF files executed on a host server or within a container on a Cortex XDR -protected endpoint. Cortex XDR automatically suspends the file execution until a WildFire or local analysis verdict is obtained. ELF file protection requires Traps agent 6.0 or a later release.

  • Malware protection modules—Targets the execution behavior of a file—such as those associated with reverse shell protection.

  • Periodic and automated scanning—Enables you to block dormant malware that has not yet attempted to execute on endpoints.

Malware Protection for Android
  • WildFire integration—Enables automatic detection of known malware and grayware, and analysis of unknown APK files using WildFire threat intelligence.

  • APK files examination—Analyzes and prevents malicious APK files from running.

  • Evaluation of trusted signers—Permits unknown files that are signed by trusted signers to run on the Android device.