The endpoint protection capabilities vary depending on the platform (operating system) that is used on each of your endpoints.
Each security profile provides a tailored list of protection capabilities that you can configure for the platform you select. The following table describes the protection capabilities you can customize in a security profile. The table also indicates which platforms support the protection capability (a dash (—) indicates the capability is not supported).
Protection Capability | Windows | Mac | Linux | Android | iOS | |||
---|---|---|---|---|---|---|---|---|
Exploit Security Profiles | ||||||||
Browser Exploits Protection Browsers can be subject to exploitation attempts from malicious web pages and exploit kits that are embedded in compromised websites. By enabling this capability, the Cortex XDR agent automatically protects browsers from common exploitation attempts. | — | — | — | |||||
Logical Exploits Protection Attackers can use existing mechanisms in the operating system—such as DLL-loading processes or built in system processes—to execute malicious code. By enabling this capability, the Cortex XDR agent automatically protects endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes. | — | — | — | |||||
Known Vulnerable Processes Protection Common applications in the operating system, such as PDF readers, Office applications, and even processes that are a part of the operating system itself can contain bugs and vulnerabilities that an attacker can exploit. By enabling this capability, the Cortex XDR agent protects these processes from attacks which try to exploit known process vulnerabilities. | — | — | ||||||
Exploit Protection for Additional Processes To extend protection to third-party processes that are not protected by the default policy from exploitation attempts, you can add additional processes to this capability. | — | — | ||||||
Operating System Exploit Protection Attackers commonly leverage the operating system itself to accomplish a malicious action. By enabling this capability, the Cortex XDR agent protects operating system mechanisms such as privilege escalation and prevents them from being used for malicious purposes. | — | — | ||||||
Unpatched Vulnerabilities Protection If you have Windows endpoints in your network that are unpatched and exposed to a known vulnerability, Palo Alto Networks strongly recommends that you upgrade to the latest Windows Update that has a fix for that vulnerability. If you choose not to patch the endpoint, the Unpatched Vulnerabilities Protection capability allows the Cortex XDR agent to apply a workaround to protect the endpoints from the known vulnerability. | — | — | — | — | ||||
Malware Security Profiles | ||||||||
Behavioral Threat Protection Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains. | — | — | ||||||
Credential Gathering Protection Targets attempts to access and harvest passwords and credentials. | — | — | ||||||
Anti Webshell Protection Prevents web shell attacks by continuously monitoring endpoints for processes that try to drop malicious files. | — | — | ||||||
Financial Malware Threat Protection Targets attempts to access or steal financial or banking information. | — | — | ||||||
Cryptominers Protection Prevents cryptomining by monitoring for processes which attempt to locate or steal cryptocurrencies. | — | — | ||||||
In-process Shellcode Protection Targets attempts to run in-process shellcodes that load malicious code. | — | — | — | — | ||||
Ransomware Protection Targets encryption based activity associated with ransomware to analyze and halt ransomware before any data loss occurs. | — | — | — | |||||
Prevent Malicious Child Process Execution Prevents script-based attacks used to deliver malware by blocking known targeted processes from launching child processes commonly used to bypass traditional security approaches. | — | — | — | — | ||||
Portable Executables and DLLs Examination Analyzes and prevents malicious executable and DLL files from running. | — | — | — | |||||
ELF Files Examination Analyzes and prevents malicious ELF files from running. | — | — | — | — | ||||
Local File Threat Examination Analyzes and quarantines malicious PHP files arriving from the web server. | — | — | — | — | ||||
PDF Files Examination Analyzes and prevents malicious macros embedded in PDF files from running. | — | — | — | — | ||||
Office Files Examination Analyzes and prevents malicious macros embedded in Microsoft Office files from running. | — | — | — | |||||
Mach-O Files Examination Analyzes and prevents malicious mach-o files from running. | — | — | — | — | ||||
DMG Files Examination Analyzes and prevents malicious DMG files from running. | — | — | — | — | ||||
APK Files Examination Analyzes and prevents malicious APK files from running. | — | — | — | — | ||||
Reverse Shell Protection Detects suspicious or abnormal network activity from shell processes and terminate the malicious shell process. | — | — | — | — | ||||
Network Packet Inspection Engine Analyzes network packet data to detect malicious behavior. | — | — | — | — | ||||
Dynamic Kernel Protection Protect the endpoint from kernel-level threats such as bootkits, rootkits, and susceptible drivers. | — | — | — | — | ||||
SMS and MMS Malicious URL filtering | — | — | — | — | ||||
Spam Reports | — | — | — | — | ||||
Call and Messages Blocking | — | — | — | — | ||||
Container-escaping attempts | — | — | — | — | ||||
Network URL filtering URL filtering for supervised devices | — | — | — | — | ||||
Cryptocurrency wallets protection Protection for cryptocurrency wallets stored on endpoints. | ||||||||
Restrictions Security Profiles | ||||||||
Execution Paths Many attack scenarios are based on writing malicious executable files to certain folders such as the local temp or download folder and then running them. Use this capability to restrict the locations from which executable files can run. | — | — | — | — | ||||
Network Locations To prevent attack scenarios that are based on writing malicious files to remote folders, you can restrict access to all network locations except for those that you explicitly trust. | — | — | — | — | ||||
Removable Media To prevent malicious code from gaining access to endpoints using external media such as a removable drive, you can restrict the executable files, that users can launch from external drives attached to the endpoints in your network. | — | — | — | — | ||||
Optical Drive To prevent malicious code from gaining access to endpoints using optical disc drives (CD, DVD, and Blu-ray), you can restrict the executable files, that users can launch from optical disc drives connected to the endpoints in your network. | — | — | — | — |