Cortex XSIAM prevents malware attacks and provides protection on endpoints based on the different operating systems.
Malicious files, known as malware, are often disguised as or embedded in non-malicious files. These files can attempt to gain control, gather sensitive information, or disrupt the normal operations of the system. Cortex XSIAM prevents malware by employing the Malware Prevention Engine. This approach combines several layers of protection to prevent both known and unknown malware from causing harm to your endpoints. The mitigation techniques that the Malware Prevention Engine employs vary by endpoint type.
The Malware Prevention Engine uses mitigation methods that implements malware protection on endpoints based on the different operating systems.
Malware protection type | Description |
|---|---|
Anti tampering protection | Enables Cortex XSIAM to protect against tampering attempts. |
Anti webshell protection | Enables Cortex XSIAM to protect endpoint processes from dropping malicious web shells. |
ASP and ASPX file protection | Enables Cortex XSIAM to protect endpoint from malicious ASP and ASPX files being written to the file system. |
Credential gathering protection | Enables Cortex XSIAM to protect endpoints from processes trying to access or steal passwords and other credentials. |
Cryptominers protection | Enables Cortex XSIAM to protect against attempts to locate or steal cryptocurrencies. |
Dynamic kernel protection | Enables Cortex XSIAM to protect endpoints from kernel-level threats such as bootkits, rootkits, and susceptible drivers. |
Endpoint scanning | Enables Cortex XSIAM to scan endpoints and attached removable drives for dormant, inactive malware. |
Financial malware threat protection | Enables Cortex XSIAM to protect against techniques specific to financial and banking malware. |
Global behavioral threat protection rules | Enables Cortex XSIAM to use rules to protect endpoints from malicious causality chains. |
IIS protection | Enables Cortex XSIAM to protect against Internet Information Server (IIS) attacks. |
In-process shellcode protection | Enables Cortex XSIAM to protect against in-process shellcode attack threats. |
JScript file examination | Enables Cortex XSIAM to detect and prevent malicious JScript files from being executed or written to disk on Windows-based endpoints. |
LDAP query protection | Enables Cortex XSIAM to analyze and act upon suspicious LDAP queries sent by the agent to a Domain Controller, to detect and block Active Directory reconnaissance attacks. |
Malicious causality chain response | Enables Cortex XSIAM to respond automatically when malicious causality chains are identified. |
Malicious child process protection | Enables Cortex XSIAM to prevent script-based attacks. Such attacks can be used to deliver malware by blocking targeted processes that are commonly used to bypass traditional security methods. |
Malicious device protection | Enables Cortex XSIAM to protect against the connection of potentially malicious devices to endpoints. |
Network packet inspection | Enables Cortex XSIAM to analyze network packet data for malicious behavior. |
Office files with macros examination | Enables Cortex XSIAM to analyze and prevent malicious macros embedded in Microsoft Office files (Word, Excel) from running on Windows endpoints. |
On-demand file examination | Enables Cortex XSIAM to scan endpoints and attached removable drives for dormant, inactive malware. |
On-write file examination | Enables Cortex XSIAM to monitor and take action on malicious files during the on-write process. |
Password theft protection | Enables Cortex XSIAM to prevent attacks that extract passwords from memory using the Mimikatz tool. |
Portable executable and DLL | Enables Cortex XSIAM to analyze and prevent malicious executable files and DLL files from running on Windows endpoints. |
PowerShell script file examination | Enables Cortex XSIAM to analyze and prevent malicious PowerShell script files from running on Windows endpoints. |
Ransomware protection | Enables Cortex XSIAM to protect against encryption-based activity associated with ransomware attacks. |
Security measure bypass protection | Enables Cortex XSIAM to protect endpoints from malicious actors attempting to bypass Windows built-in security controls. |
UAC bypass prevention | Enables Cortex XSIAM to protect against the User Access Control (UAC) bypass mechanism that is associated with privilege elevation attempts. |
UEFI protection | Enables Cortex XSIAM to protect endpoints from Unified Extensible Firmware Interface (UEFI) manipulation attempts. |
VB script file protection | Enables Cortex XSIAM to protect endpoints from malicious VB script files. |
Malware protection type | Description |
|---|---|
Anti tampering protection | Enables Cortex XSIAM to protect against tampering attempts. |
Anti webshell protection | Enables Cortex XSIAM to protect endpoint processes from dropping malicious web shells. |
Credential gathering protection | Enables Cortex XSIAM to protect endpoints from processes trying to access or steal passwords and other credentials. |
Cryptominers protection | Enables Cortex XSIAM to protect against attempts to locate or steal cryptocurrencies. |
DMG file examination | Enables Cortex XSIAM to check DMG files for malware. |
Endpoint scanning | Enables Cortex XSIAM to scan endpoints and attached removable drives for dormant, inactive malware. |
Financial malware threat protection | Enables Cortex XSIAM to protect against techniques specific to financial and banking malware. |
Global behavioral threat protection rules | Enables Cortex XSIAM to use rules to protect endpoints from malicious causality chains. |
Local file threat examination | Enables Cortex XSIAM to detect malicious files on the endpoint. |
Mach-O file examination | Enables Cortex XSIAM to check Mach-O files for malware upon loading, and upon execution. |
Malicious child process protection | Enables Cortex XSIAM to prevent script-based attacks. Such attacks can be used to deliver malware by blocking targeted processes that are commonly used to bypass traditional security methods. |
Malicious device protection | Enables Cortex XSIAM to identify and block potentially malicious Human Interface Devices (HIDs), to prevent attacks that exploit device trust. |
Network Packet Inspection Engine | Enables to detect abnormal network traffic patterns and prevent malicious activity. |
Ransomware protection | Enables Cortex XSIAM to protect against encryption-based activity associated with ransomware attacks. |
Malware protection type | Description |
|---|---|
Anti webshell protection | Enables Cortex XSIAM to protect endpoint processes from dropping malicious web shells. |
Container escaping protection | Enables Cortex XSIAM to protect against container-escaping attempts. |
Credential gathering protection | Enables Cortex XSIAM to protect endpoints from processes trying to access or steal passwords and other credentials. |
Cryptominers protection | Enables Cortex XSIAM to protect against attempts to locate or steal cryptocurrencies. |
ELF file examination |
|
Endpoint scanning | Enables Cortex XSIAM to scan endpoints and attached removable drives for dormant, inactive malware. |
Financial malware threat protection | Enables Cortex XSIAM to protect against techniques specific to financial and banking malware. |
Global threat behavioral threat protection rules | Enables Cortex XSIAM to use rules to protect endpoints from malicious causality chains. |
Local file threat examination | Enables Cortex XSIAM to detect malicious files on the endpoint. |
Malicious child process protection | Enables Cortex XSIAM to prevent process creation based on examination of suspicious relations between parent and child processes. |
Reverse shell protection | Enables Cortex XSIAM to prevent attempts to redirect standard input and output streams to network sockets. |
Malware protection type | Description |
|---|---|
Call and messages blocking | Enables Cortex XSIAM to act on incoming calls and messages from known spam numbers. |
Network and EDR security module | This module lets you configure granular control and monitoring of network traffic on iOS-based supervised devices. The devices' profiles must be also configured for this on the MDM side as explained in the Cortex XDR Agent iOS Guide. |
Safari browser security module | This security module can provide proactive gating of suspicious sites accessed using Safari, and provides informative site analysis to the device user. This option is recommended for iOS devices that do not belong to your organization and do not use the Network Shield feature. |
Spam reports | Enables Cortex XSIAM to report calls and messages as spam. |
URL filtering | Enables Cortex XSIAM to analyze and block or report malicious URLs, and to block or allow custom URLs. |
Malware protection type | Description |
|---|---|
APK files examination | Enables Cortex XSIAM to analyze and prevent malicious APK files from running on endpoints. NoteFrom Cortex XDR agent for Android version 9.0 and later, part of this module, which performs local analysis on the Android device itself, is deprecated. APK analysis will be handled only by Wildfire. |