From the management console, you can configure what action Cortex XDR agents take when known malware and unknown files try to run.
Malware security profiles allow you to configure the action Cortex XDR agents take when known malware and unknown files try to run on Windows, macOS, Linux, and Android endpoints.
By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration for each malware protection capability supported by the platform. To fine-tune your Malware security policy, you can override the configuration of each capability to block the malicious behavior or file, allow but report it, or disable the module. For each setting, you override, clear the option to Use Default.
To configure a Malware security profile:
Add a new profile.
Select the platform to which the profile applies and Malware as the profile type.
Identify the profile.
Select a unique Profile Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
To provide additional context for the purpose or business reason for creating the profile, specify a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure the Cortex XDR agent to examine executable files, macros, or DLL files on Windows endpoints, Mach-O files or DMG files on macOS-based endpoints, ELF files on Linux endpoints, or APK files on Android endpoints.
Configure the Action Mode—the behavior of the Cortex XDR agent—when malware is detected:
Block—Block attempts to run malware.
Report—Report but do not block malware that attempts to run.
Disabled—Disable the module and do not examine files for malware.
Configure additional actions to examine files for malware.
By default, Cortex XSIAM uses the settings specified in the default malware security profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
(Windows, macOS starting with Cortex XDR agent 7.4, Linux starting with Cortex XDR agent 7.5) Quarantine Malicious Executables / Mach-O / ELF files / DMG files—By default, the Cortex XDR agent blocks malware from running but does not quarantine the file. Enable this option to quarantine files depending on the verdict issuer (local analysis, WildFire, or both local analysis and WildFire).
The quarantine feature is not available for malware identified in network drives.
Upload unknown files to WildFire—Enable the Cortex XDR agent to send unknown files to Cortex XSIAM, and for Cortex XSIAM to send the files to WildFire for analysis. With macro analysis, the Cortex XDR agent sends the Microsoft Office file containing the macro. The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100MB in size.
Treat Grayware as Malware—Treat all grayware with the same Action Mode you configure for malware. Otherwise, if this option is disabled, grayware is considered benign and is not blocked.
Action when file is Unknown to WildFire—Select the behavior of the Cortex XDR agent when an unknown file tries to run on the endpoint (Allow, Run Local Analysis, or Block). With local analysis, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware and issues a local verdict for the file. If you block unknown files but do not run local analysis, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.
(Windows and macOS only) Action when file is benign with Low Confidence—Select the behavior of the Cortex XDR agent when a file with Benign Low Confidence verdict from WildFire tries to run on the endpoint (Allow, Run Local Analysis, or Block). With local analysis, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware and issues a local verdict for the file. If you block this file but do not run a local analysis, it remains blocked until the Cortex XDR agent receives a high-confidence WildFire verdict. To enable this capability, ensure that WildFire analysis scoring is enabled in your Global Agent Settings.
Warning
For optimal user experience, we recommend that you set the action mode to either Allow or Run Local Analysis.
Action on the Benign LC verdict is supported by agent version 7.5 and above. For agent version 7.4.X, the action on the Benign LC verdict is the same as the action for files with Unknown verdict.
(Windows only) Examine Office Files From Network Drives—Enable the Cortex XDR agent to examine Microsoft Office files in network drives when they contain a macro that attempts to run. If this option is disabled, the Cortex XDR agent will not examine macros in network drives.
Note
(Windows only) As part of the anti-malware security flow, the Cortex XDR agent leverages the OS capability to identify revoked certificates for executables and DLL files that attempt to run on the endpoint by accessing the Windows Certificate Revocation List (CRL). To allow the Cortex XDR agent access the CRL, you must enable internet access over port 80 for Windows endpoints running Traps 6.0.3 and later releases, Traps 6.1.1 and later releases, or Cortex XDR 7.0 and later releases. If the endpoint is not connected to the internet, or you experience delays with executables and DLLs running on the endpoint, please contact Customer Support.
(Optional) Add files and folders to your allow list to exclude them from the examination.
+Add a file or folder.
Specify the path and press Enter or click the check mark when done. You can also use a wildcard to match files and folders containing a partial name. Use
?
to match a single character or*
to match any string of characters. To match a folder, you must terminate the path with * to match all files in the folder (for example,c:\temp\*
).Repeat to add additional files or folders.
(Optional) Add signers to your allow list to exclude them from the examination.
When a file that is signed by a signer you included in your allow list attempts to run,
+Add a trusted signer.
Enter the name of the trusted signer (Windows) or the SHA1 hash of the certificate that signs the file (macOS) and press Enter or click the check mark when done. You can also use a wildcard to match a partial name for the signer. Use
?
to match any single character or*
to match any string of characters.Repeat to add additional folders.
Note
Cortex XDR agent evaluates the signer name using the CN (Common Name) value in the digital signature, while the Cortex XSIAMconsole can display in the Alerts table both the O (Organization) value and the CN (Common Name).
(Windows) Configure the On-write File Protection.
Cortex XSIAM monitors and takes action on malicious files during the on-write process.
Define the Action Mode to take when Cortex XSIAM detects malicious files during the on-write process.
Enabled—Alerts and quarantines malicious files during the on-write process.
Disabled—Disable the protection module and do not alert and quarantine malicious files during the on-write process.
(Windows, macOS, and Linux) Configure the Global Behavioral Threat Protection Rules.
Note
Behavioral threat protection requires Traps agent 6.0 or a later release for Windows endpoints and Traps 6.1 or later versions for macOS and Linux endpoints.
With Behavioral threat protection, the agent continuously monitors endpoint activity to identify and analyze chains of events—known as causality chains. This enables the agent to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually. A causality chain can include any sequence of network, process, file, and registry activities on the endpoint. Behavioral threat protection can also identify behavior related to vulnerable drivers on Windows endpoints. For more information on data collection for Behavioral Threat Protection, see Endpoint Data Collection.
Palo Alto Networks researchers define the causality chains that are malicious and distribute those chains as behavioral threat rules. When the Cortex XDR agent detects a match to a behavioral threat protection rule, the Cortex XDR agent carries out the configured action (default is Block). In addition, the Cortex XDR agent reports the behavior of the entire event chain up to the process, known as the causality group owner (CGO), that the Cortex XDR agent identified as triggering the event sequence.
To configure the Global Behavioral Threat Protection Rules:
Define the Action mode to take when the Cortex XDR agent detects malicious causality chains:
Block (default)—Block all processes and threads in the event chain up to the CGO.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
Define whether to quarantine the CGO when the Cortex XDR agent detects a malicious event chain.
Enabled—Quarantine the processes and the artifacts, such as files, related to the CGO.
Disabled (default)—Do not quarantine the CGO of an event chain nor any scripts or files called by the CGO.
(Windows only, requires a Cortex XDR agent 7.2 or later) Define the Action Mode for Vulnerable Drivers Protection.
Behavioral threat protection rules can also detect attempts to load vulnerable drivers. As with other rules, Palo Alto Networks threat researchers can deliver changes to vulnerable driver rules with content updates.
Block (default)—Block all attempts to run vulnerable drivers.
Report—Allow vulnerable drivers to run but report the activity.
Disabled—Disable the module and do not analyze or report the activity.
Define the Advanced API Monitoring .
Enabled—Adds additional hooks in user mode processes for increased coverage of anti-exploit and anti-malware modules.
Disabled (default)—Disables the capability of Advanced API Monitoring.
(Optional) Add to your allow list the files that you do not want the Cortex XDR agent to terminate when a malicious causality chain is detected. The allow list does not apply to vulnerable drivers.
+Add a file path.
Enter the file path you want to exclude from the evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.Click the checkmark to confirm the file path.
Repeat the process to add any additional file paths to your allow list.
(Windows, macOS, and Linux) Configure Credential Gathering Protection.
In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal passwords and other sensitive credentials, the Cortex XDR agent carries out the configured action (default is Block).
To configure Credential Gathering Protection:
Define the Action mode to take when the Cortex XDR agent detects a credential gathering process:
Block (default)—Block all processes and threads in the event chain up to the credential gathering process or file.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows only) Define whether to quarantine the process or file when the Cortex XDR agent detects a credential gathering attempt.
Enabled—Quarantine the process or file related to the credential gathering event chain.
Disabled (default)—Do not quarantine the process or file of an event chain nor any scripts or files called by the process or file.
(Optional) Add files to your allow list that you do not want the Cortex XDR agent to terminate.
+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Windows, macOS, and Linux) Configure Anti Webshell Protection.
In a causality chain, when the Cortex XDR agent detects a process that attempts to drop malicious web shells, the Cortex XDR agent carries out the configured action (default is Block).
To configure Anti Webshell Protection:
Define the Action mode to take when the Cortex XDR agent detects a process attempting to drop a web shell:
Block (default)—Block all processes and threads in the event chain up to the web shell dropping process or file.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows only) For a Block or Report action, define whether to quarantine the process or file when the Cortex XDR agent detects a web shell dropping process.
Enabled—Quarantine the dropped or executed web shell.
Disabled (default)—Do not quarantine the processes or files that are related to the web shell drop event chain or any scripts or files called by the web shell dropping process.
(Optional) Add files that you do not want the Cortex XDR agent to terminate to your allow list.
Add+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Windows, macOS, and Linux) Configure Financial Malware Threat Protection.
In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent carries out the configured action (default is Block).
To configure Financial Malware Threat Protection:
Define the Action mode to take when the Cortex XDR agent detects a financial information gathering process.
Block (default)—Block all processes and threads in the event chain up to the credential gathering process or file.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows, macOS, and Linux) Define whether to quarantine the process or file when the Cortex XDR agent detects a financial information gathering attempt.
Enabled—Quarantine the processes or files related to the financial information gathering event chain.
Disabled (default)—Do not quarantine the processes or files that are related to the financial information gathering event chain or any scripts or files called by the financial information gathering process.
(Win and macOS) Define Crypto Wallet Protection. Cryptocurrency wallets store private keys that are used to access crypto assets.
Enabled—Provide protection for cryptocurrency wallets that are stored on endpoints.
Disabled—Disable the module.
(Optional) Add files that you do not want the Cortex XDR agent to terminate to your allow list.
+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Windows, macOS, and Linux) Configure Cryptominers Protection
In a causality chain, when the Cortex XDR agent detects a process that attempts to locate or steal cryptocurrencies, the Cortex XDR agent carries out the configured action (default is Block).
To configure Cryptominers Protection:
Define the Action mode to take when the Cortex XDR agent detects a cryptomining threat.
Block(default)—Block all processes and threads in the event chain up to the cryptomining process or file.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows, macOS, and Linux) Define whether to quarantine the process or file when the Cortex XDR agent detects a cryptocurrency gathering attempt.
Enabled—Quarantine the processes or files related to the cryptomining event chain.
Disabled (default)—Do not quarantine the processes or files that are related to the cryptomining event chain or any scripts or files called by the cryptomining process.
(Optional) Add files that you do not want the Cortex XDR agent to terminate to your allow list.
+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Linux only) Configure Container Escaping Protection to protect against container-escaping attempts.
Define the Action Mode to take when the Cortex XDR agent detects container-escaping attempts.
Block (default)—Block the activity.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
Choose whether you want the Cortex XDR agent to Quarantine Malicious Files or not, when container-escaping attempts are detected.
(Windows) Configure In-process Shellcode Protection.
In a causality chain, when the Cortex XDR agent detects a process that attempts to run in-process shellcodes to load malicious code, the Cortex XDR agent carries out the configured action (default is Block).
To configure In-process Shellcode Protection:
Define the Action mode to take when the Cortex XDR agent detects an in-process shellcode attack threat.
Block (default)—Block all processes and threads in the event chain up to the in-process shellcode process or file.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows) Define whether to quarantine the process or file when the Cortex XDR agent detects an in-process shellcode.
Enabled—Quarantine the in-process shellcode processes or files related to the chain.
Disabled (default)—Do not quarantine the processes or files that are related to the event chain or any scripts or files called by the in-process shellcode.
Define whether to quarantine the 32 bit in-process shellcode processes detected by the Cortex XDR agent.
Process injection 32 bit is set to Enabled by default for all new tenants created after 25 June 2023. For tenants created before this date, the default was set to Disabled.
Enabled—Quarantine the 32 bit in-process shellcode processes or files related to the chain.
Disabled—Do not quarantine the 32 bit processes that are related to the event chain or any scripts or files called by the in-process shellcode.
(Windows only) Define whether to provide Shellcode AI Protection. Precision AI-based detection rules use machine learning to detect and prevent in-memory shellcode attacks.
Enabled—Use detection rules to detect and prevent in-memory shellcode attacks.
Disabled—Disable the module.
(Optional) Add files that you do not want the Cortex XDR agent to terminate to your allow list.
+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Windows) Configure UAC Bypass Prevention.
When Cortex XSIAM detects a User Access Control (UAC) Bypass mechanism that's associated with privilege elevation attempts, the Cortex XDR agent carries out the configured action (default is Block).
To configure UAC Bypass Prevention:
Define the Action mode to take when the Cortex XDR agent detects a UAC Bypass mechanism.
Block (default)—Block all processes and threads in the event chain up to the UAC Bypass mechanism.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows) Define whether to quarantine the process or file when the Cortex XDR agent detects a UAC Bypass mechanism.
Enabled—Quarantine the UAC bypass processes or files related to the chain.
Disabled (default)—Do not quarantine the processes or files that are related to event chain or any scripts or files called by the UAC bypass mechanism.
(Windows) Configure Malicious Safe Mode Rebooting Protection—Define the action to take when Cortex XDR agent detects safe mode reboot attempts made suspiciously by other apps. This feature is supported with Cortex XDR agent 8.1.0 and later.
Report (default)— Allow the activity but report it to Cortex XSIAM.
Block—Block all processes and threads in the event chain leading up to the safe mode reboot.
Disabled—Disable this feature and do not block or report the activity.
(Optional) Add files that you do not want the Cortex XDR agent to terminate to your allow list.
+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Windows and macOS) Configure Anti Tampering Protection.
When Cortex XSIAM detects a tampering attempt, including modification or the termination of a Cortex XDR agent, the Cortex XDR agent carries out the configured action (default is Block).
To configure Anti Tampering Protection:
Define the Action mode to take when the Cortex XDR agent detects an agent tampering attempt.
Block (default)—Block all processes and threads in the event chain up to the tampering process.
Note
If you choose the Block option, you must also enable XDR Agent Tampering Protection in the Agent Settings profile, and ensure that both profiles are assigned to the same endpoints.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows and macOS) Define whether to quarantine the process or file when the Cortex XDR agent detects a tampering attempt.
Enabled—Quarantine the processes or files that are related to the tampering attempt.
Disabled (default)—Do not quarantine the processes or files that are related to the event chain or any scripts or files called by the tampering process or file.
(Windows) Configure Malicious Safe Mode Rebooting Protection—Define the action to take when Cortex XDR agent detects safe mode reboot attempts made suspiciously by other apps.
Report (default)— Allow the activity but report it to Cortex XSIAM.
Block—Block all processes and threads in the event chain leading up to the safe mode reboot.
Disabled—Disable this feature and do not block or report the activity.
(Optional) Add files that you do not want the Cortex XDR agent to terminate to your allow list.
+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Windows) Configure IIS Protection.
When Cortex XSIAM detects a threat that targets the Internet Information Server (IIS), the Cortex XDR agent carries out the configured action (default is Block).
To configure IIS Protection:
Define the Action mode to take when the Cortex XDR agent detects an IIS threat.
Block (default)—Block all processes and threads in the event chain up to the IIS threat.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows) Define whether to quarantine the process or file when the Cortex XDR agent detects an IIS attack.
Enabled—Quarantine the processes or files that are related to the IIS attack.
Disabled (default)—Do not quarantine the processes or files that are related to the event chain or any scripts or files called by the IIS threat process or file.
(Windows) Configure UEFI Protection.
When Cortex XSIAM detects Unified Extensible Firmware Interface (UEFI) manipulation attempts, the Cortex XDR agent carries out the configured action (default is Block).
Define the Action mode to take when the Cortex XDR agent detects a UEFI threat.
Block (default)—Block all processes and threads in the event chain up to the UEFI threat.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows) Define whether to quarantine the process or file when the Cortex XDR agent detects a UEFI manipulation attempt.
Enabled—Quarantine the processes or files that are related to the UEFI threat.
Disabled (default)—Do not quarantine the processes or files that are related to the event chain or any scripts or files called by the UEFI threat process or file.
(Optional) Add files that you do not want the Cortex XDR agent to terminate to your allow list.
+Add the file or folder paths to exclude from evaluation. Use
?
to match a single character or*
to match any string of characters. Adding a process to the allow list doesn’t prevent the generation of a security event.
(Windows) Respond to Malicious Causality Chains.
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint. When Cortex XSIAMblocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate.
Note
This module is supported with Cortex XDR agent 7.3.0 and later.
Select the Action Mode to take when the Cortex XDR agent detects remote malicious causality chains:
Enabled (default)—Terminate connection and block IP address of the remote connection.
Disabled—Do not block remote IP addresses.
To allow specific and known safe IP address or IP address ranges that you do not want Cortex XSIAMto block, add these IP addresses to your allow list.
+Add and then specify the IP address.
(Windows and macOS) Configure Ransomware Protection.
Define the Action mode to take when the Cortex XDR agent detects ransomware activity locally on the endpoint or in pre-defined network folders:
Block (default)—Block the activity.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(macOS only) Choose whether you want the Cortex XDR agent to Quarantine Malicious Files or not, when ransomware is detected.
(Windows only) Choose whether you want the Cortex XDR agent to Quarantine Malicious Process when ransomware is detected.
The quarantine option is only available if the Action mode is Block.
(Windows only) Configure the ransomware module Protection mode.
By default, the protection mode is set to Normal where the decoy files on the endpoint are present, but do not interfere with benign applications and end user activity on the endpoint. If you suspect your network has been infected with ransomware and need to provide better coverage, you can apply the Aggressive protection mode. The aggressive mode exposes more applications in your environment to the Cortex XDR agent decoy files, while also increasing the likelihood that benign software is exposed to decoy files, raising false ransomware alerts, and impairing user experience.
(Windows only) Configure the Cortex XDR agent to Prevent Malicious Child Process Execution.
Select the Action Mode to take when the Cortex XDR agent detects malicious child process execution:
Block—Block the activity.
Report—Allow the activity but report it to Cortex XSIAM.
To allow specific processes to launch child processes for legitimate purposes, add the child process to your allow list with optional execution criteria.
+Add and then specify the allow list criteria including the Parent Process Name, Child Process Name, and Command Line Params. Use
?
to match a single character or*
to match any string of characters.Note
If you are adding child process evaluation criteria based on a specific security event, the event indicates both the source process and the command line parameters in one line. Copy only the command line parameter for use in the profile.
Enable endpoint file scanning.
Periodic scanning enables you to scan endpoints on a reoccurring basis without waiting for malware to run on the endpoint. Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is powered-off, then scan will be initiated when the endpoint is powered-on again. The scheduling of future scans is not affected by this delay. To better understand how the agent scans the endpoint, refer to Scan an Endpoint for Malware.
Note
When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.
Note
We recommend that you disable scheduled scanning. VDI machine scans are based on the golden image and additional files will be examined upon execution.
Configure the Action Mode for the Cortex XDR agent to periodically scan the endpoint for malware: Enabled to scan at the configured intervals, Disabled (default) if you don’t want the Cortex XDR agent to scan the endpoint.
To configure the scan schedule, set the frequency (Run Weekly or Run Monthly) and day and time at which the scan will run on the endpoint.
Just as with an on-demand scan, a scheduled scan will resume after a reboot, process interruption, or operating system crash.
(Windows only) To include removable media drives in the scheduled scan, enable the Cortex XDR agent to Scan Removable Media Drives.
Add folders to your allow list to exclude them from examination.
Add (+) a folder.
Enter the folder path. Use
?
to match a single character or*
to match any string of characters in the folder path (for example,C:\*\temp
).Press Enter or click the check mark when done.
Repeat to add additional folders.
(Windows Vista and later Windows releases) Enable Password Theft Protection.
Select Enabled to enable the Cortex XDR agent to prevent attacks that use the Mimikatz tool to extract passwords from memory. When set to Enabled, the Cortex XDR agent silently prevents attempts to steal credentials (no notifications are provided when these events occur). The Cortex XDR agent enables this protection module following the next endpoint reboot. If you don’t want to enable the module, select Disabled.
Note
This module is supported with Traps agent 5.0.4 and later.
(Windows only) Configure the Network Packet Inspection Engine.
By analyzing the network packet data, the Cortex XDR agent can detect malicious behavior already at the network level and provide protection to the growing corporate network boundaries. The engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XSIAMcontent rules created by the Research Team which are updated through the security content.
Note
This module is supported with Cortex XDR agent 7.5.0 and later.
Define the Action mode to take when the Cortex XDR agent detects malicious behavior:
Terminate Session (default)—Drop the malicious connections. In case of an outgoing connection, also terminate all associated processes.
Report—Allow the packets in your network but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Windows) Configure Dynamic Kernel Protection to protect the endpoint from kernel-level threats such as bootkits, rootkits, and susceptible drivers. Select the Action Mode to take for this protection module:
Block—The protection module loads during the boot process to protect the endpoint against malicious processes running at boot time.
Report—The protection module loads during the boot process and reports possible threats to Cortex XSIAM, without blocking them.
Disabled—Disable the module and do not analyze or report the activity.
(Linux and macOS) Enable Local File Threat Examination.
The Local Threat-Evaluation Engine (LTEE) enables the Cortex XDR agent to detect malicious files on the endpoint.
Note
This module is supported with Cortex XDR agent 8.1.0 and later release.
Select the Action Mode to take when the Cortex XDR agent detects the malicious behavior.
Enable—Enable the Cortex XDR agent to analyze the endpoint for PHP files arriving from the web server and alert of any malicious PHP scripts.
Disable—Disable the module and do not analyze or report the activity.
(macOS only) Terminate Malicious Processes.
When Enabled, the Cortex XDR agents terminate malicious PHP files on the endpoint.
Quarantine malicious files.
When Enabled, the Cortex XDR agents quarantine malicious files on the endpoint and does not quarantine updated files.
(Optional) Add files and folders to your allow list to exclude them from the examination.
+Add a file or folder.
Enter the path and press Enter or click the check mark when done. You can also use
*
to match files and folders containing a partial name. To match a folder, you must terminate the path with * to match all files in the folder (for example,/usr/bin/*
).Repeat to add additional files or folders.
(Linux only) Configure Reverse Shell Protection.
The Reverse Shell Protection module enables the Cortex XDR agent to detect and optionally block attempts to redirect standard input and output streams to network sockets.
Define the Action Mode to take when the Cortex XDR agent detects the malicious behavior.
Block—Block the activity.
Report—Allow the activity but report it to Cortex XSIAM.
Disabled—Disable the module and do not analyze or report the activity.
(Optional) Add processes to your allow list that must redirect streams to network sockets.
+Add a connection.
Enter the path of the process, and the local and remote IP address and ports.
Use a wildcard to match a partial path name. Use a
*
to match any string of characters (for example,*/bash
). You can also use a*
to match any IP address or any port.Press Enter or click the check mark when done.
Repeat to add additional folders.
(iOS only) Configure malware protection for iOS-based devices:
Configure URL filtering to analyze and block or report malicious URLs, and to block or allow custom URLs.
Configure Spam Reports to report calls and messages as spam to Cortex XSIAM analysts.
Configure Call and Messages Blocking from known spam numbers. You can add allowed numbers to the Allow List, and known spam numbers to the Block List.
Note
Ensure that the same numbers are not added multiple times with different leading zeros.
Configure Safari Browser Security Module. This security module can provide proactive gating of suspicious sites accessed using Safari, and provides informative site analysis to the device user. This option is recommended for iOS devices that do not belong to your organization and are not "supervised devices".
Note
To fully enable the security module on the device side, each iOS device user must enable the Safari Safeguard module on the device, and grant it permission to work on all websites. If the iOS device user does not do this, Cortex XSIAM shows the endpoint's operation status as Partially Protected.
The Safari browser security module will only function when the URL filtering module (see earlier in this procedure) is set to Block.
Item
Options
More details
Enforce use of Safari Security Module
Enabled
Disabled
When set to Enabled, the Safari Safeguard security module displays "Required" on the Modules screen of the app. Full protection for Safari will only be active after the iOS device user has also activated it on the device. When this module is also activated on the device, alerts are forwarded to the tenant.
When set to Disabled, and users decide to enable the module on their devices, alerts are visible locally on the iOS device only, and are not forwarded to the tenant.
Safari malicious JS blocking
Enabled
Disabled
When set to Enabled, the Cortex XDR agent blocks the entire page in Safari where malicious JS files are detected.
Configure Network and EDR Security Module. This module lets you configure granular control and monitoring of network traffic on iOS-based supervised devices. The devices' profiles must be also configured on the MDM side as explained in the Cortex XDR Agent iOS Guide.
Note
Cortex XDR agent version 8.4 or higher are required for this feature.
Item
Options
More details
Auto detected malicious URL filtering
Enabled
Disabled
When set to Enabled, the Cortex XDR agent automatically filters known malicious URLs.
URL filtering
Enabled
Disabled
When set to Enabled, the Cortex XDR agent filters URLs according to the lists of allowed and blocked URLs configured in the URL Filtering section above.
Predefined Blocked Apps
List of apps
A list of commonly known apps that your organization may be interested in blocking on supervised devices is provided here. The Cortex XDR agent will block use of the selected apps. You can select one or more apps.
Blocked Bundle IDs
A Bundle ID is an app's unique identifier, in string format, that is used to identify the app in an app store. Communication will be blocked for any process with exactly the Bundle ID defined here, or for a Bundle ID that has the defined string as a suffix.
For example, the Calculator app's Bundle ID is: com.apple.calculator. When you add com.apple.calculator to the list, the Cortex XDR agent app will block all of these Bundle IDs:
com.apple.calculator
H3DT34.com.apple.calculator
widget.com.apple.calculator
To block apps according to Bundle ID, enter a Bundle ID and press Enter. To add another Bundle ID to the list, click +Add and repeat this process.
Block List of Remote IPV4/IPV6 IP Address
The Cortex XDR agent will block the IP addresses that you add to this field. Both IPV4 and IPv6 addresses are supported.
To block apps according to IP address, enter an IP address with a subnet mask, a range, or an individual IP address, and press Enter. To add another IP address to the list, click +Add and repeat this process.
Digest alerts
Enabled
Disabled
Digest alerts are alerts that contain a summary of blocked network activity over a prolonged time period.
When set to Enabled, the Cortex XDR agent sends digest alerts to Cortex XSIAM.
Digest alerts max frequency
1 to 7 days
When Digest alerts is enabled, you can limit the digest alert to no more than one per <selected number of days>.
Max alerts per app
Hours
Minutes
Limit alert notifications by the Cortex XDR agent to one alert for each app per <selected period of time>.
Max user notifications
Hours
Limit alert notifications by the Cortex XDR agent app to one user notification per <selected number of hours>.
Create or Save the changes to your profile.
Apply Security Profiles to Endpoints.
You can do this in two ways: You can Create a new policy rule using this profile from the right-click menu or you can launch the new policy wizard from Policy Rules.