Endpoint Protection Modules - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-05-06
Last date published
2024-09-09
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSIAM/Cortex-XSIAM-Documentation
Abstract

Security modules are activated for your endpoints depending on the chosen security profile and the operating system on the endpoint.

Each security profile applies multiple security modules to protect your endpoints from a wide range of attack techniques. While the settings for each security module are not configurable, the Cortex XDR agent activates a specific protection module depending on the type of attack, the configuration of your security policy, and the operating system of the endpoint.

When a security event occurs, the Cortex XDR agent logs details about the event including the security module employed by the Cortex XDR agent to detect and prevent the attack based on the technique. To help you understand the nature of the attack, the alert identifies the protection module the Cortex XDR agent employed.

The following table lists the modules and the platforms on which they are supported. A dash (—) indicates that the module is not supported.

Module

Windows

Mac

Linux

Android

Anti-Ransomware

Targets encryption-based activity associated with ransomware and have the ability to analyze and halt ransomware activity before any data loss occurs.

check-mark.png
check-mark.png

APC Protection

Prevents attacks that change the execution order of a process by redirecting an asynchronous procedure call (APC) to point to the malicious shellcode.

check-mark.png

Behavioral Threat

Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains.

check-mark.png
check-mark.png
check-mark.png

Brute Force Protection

Prevents attackers from hijacking the process control flow by monitoring memory layout enumeration attempts.

check-mark.png

Child Process Protection

Prevents script-based attacks that are used to deliver malware, such as ransomware, by blocking known targeted processes from launching child processes that are commonly used to bypass traditional security approaches.

check-mark.png

Container Escaping Protection

Prevents container-escaping attempts

check-mark.png

CPL Protection

Protects against vulnerabilities related to the display routine for Windows Control Panel Library (CPL) shortcut images, which can be used as a malware infection vector.

check-mark.png

Data Execution Prevention (DEP)

Prevents areas of memory defined to contain only data from running executable code.

check-mark.png

DLL Hijacking

Prevents DLL-hijacking attacks where the attacker attempts to load dynamic-link libraries on Windows operating systems from unsecured locations to gain control of a process.

check-mark.png

DLL Security

Prevents access to crucial DLL metadata from untrusted code locations.

check-mark.png

Dylib Hijacking

Prevents Dylib-hijacking attacks where the attacker attempts to load dynamic libraries on Mac operating systems from unsecured locations to gain control of a process.

check-mark.png

Exploit Kit Fingerprint

Protects against the fingerprinting technique used by browser exploit kits to identify information—such as the OS or applications which run on an endpoint—that attackers can leverage when launching an attack to evade protection capabilities.

check-mark.png

Font Protection

Prevents improper font handling, a common target of exploits.

check-mark.png

Gatekeeper Enhancement

Enhances the macOS gatekeeper functionality that allows apps to run based on their digital signature. This module provides an additional layer of protection by extending gatekeeper functionality to bundles and child processes so you can enforce the signature level of your choice.

check-mark.png

Hash Exception

Halts execution of files that an administrator identified as malware regardless of the WildFire verdict.

check-mark.png
check-mark.png
check-mark.png
check-mark.png

Hot Patch Protection

Prevents the use of system functions to bypass DEP and address space layout randomization (ASLR).

check-mark.png

Java Deserialization

Blocks attempts to execute malicious code during the Java objects deserialization process on Java-based servers.

check-mark.png

JIT

Prevents an attacker from bypassing the operating system's memory mitigations using just-in-time (JIT) compilation engines.

check-mark.png
check-mark.png

Kernel Integrity Monitor (KIM)

Prevents rootkit and vulnerability exploitation on Linux endpoints. On the first detection of suspicious rootkit behavior, the behavioral threat protection (BTP) module generates a Cortex XDR Agent alert. Cortex XSIAM stitches logs about the process that loaded the kernel module with other logs relating to the kernel module to aid in the alert investigation. When the Cortex XDR agent detects subsequent rootkit behavior, it blocks the activity.

check-mark.png

Local Analysis

Examines hundreds of characteristics of an unknown executable file, DLL, or macro to determine if it is likely to be malware. The local analysis module uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed using machine learning on WildFire threat intelligence.

check-mark.png
check-mark.png
check-mark.png

Local Threat Evaluation Engine (LTEE)

Protects against malicious PHP files arriving from the web server.

check-mark.png

Local Privilege Escalation Protection

Prevents attackers from performing malicious activities that require privileges that are higher than those assigned to the attacked or malicious process.

check-mark.png
check-mark.png
check-mark.png

Master Boot Record (MBR) Model

Protects against malicious Master Boot Record (MBR) manipulations.

check-mark.png

Network Packet Inspection Engine

Analyze network packet data to detect malicious behavior already at the network level. The engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Research Team which are updated through the security content.

check-mark.png

Null Dereference

Prevents malicious code from mapping to address zero in the memory space, making null dereference vulnerabilities unexploitable.

check-mark.png

Restricted Execution - Local Path

Prevents unauthorized execution from a local path.

check-mark.png

Restricted Execution - Network Location

Prevents unauthorized execution from a network path.

check-mark.png

Restricted Execution - Removable Media

Prevents unauthorized execution from removable media.

check-mark.png

Reverse Shell Protection

Blocks malicious activity where an attacker redirects standard input and output streams to network sockets.

check-mark.png

ROP

Protects against the use of return-oriented programming (ROP) by protecting APIs used in ROP chains.

check-mark.png
check-mark.png
check-mark.png

SEH

Prevents hijacking of the structured exception handler (SEH), a commonly exploited control structure that can contain multiple SEH blocks that form a linked list chain, which contains a sequence of function records.

check-mark.png

Shellcode Protection

Reserves and protects certain areas of memory commonly used to house payloads using heap spray techniques.

check-mark.png

ShellLink

Prevents shell-link logical vulnerabilities.

check-mark.png

SO Hijacking Protection

Prevents dynamic loading of libraries from unsecured locations to gain control of a process.

check-mark.png

SysExit

Prevents using system calls to bypass other protection capabilities.

check-mark.png

UASLR

Improves or altogether implements ASLR (address space layout randomization) with greater entropy, robustness, and strict enforcement.

check-mark.png

Vulnerable Drivers Protection

Detect attempts to load vulnerable drivers.

check-mark.png

WildFire

Leverages WildFire for threat intelligence to determine whether a file is malware. In the case of unknown files, Cortex XDR can forward samples to WildFire for in-depth analysis.

check-mark.png
check-mark.png
check-mark.png
check-mark.png

WildFire Post-Detection (Malware and Grayware)

Identifies a file that was previously allowed to run on an endpoint that is now determined to be malware. Post-detection events provide notifications for each endpoint on which the file is executed.

check-mark.png
check-mark.png
check-mark.png
check-mark.png