Endpoint protection capabilities - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

The endpoint protection capabilities vary depending on the platform (operating system) that is used on each of your endpoints.

Each security profile provides a tailored list of protection capabilities that you can configure for the platform you select. The following table describes the protection capabilities you can customize in a security profile. The table also indicates which platforms support the protection capability (a dash (—) indicates the capability is not supported).

Protection capability

Windows

Mac

Linux

Android

iOS

Exploit security profiles

Browser exploits protection

Browsers can be subject to exploitation attempts from malicious web pages and exploit kits that are embedded in compromised websites. By enabling this capability, the Cortex XDR agent automatically protects browsers from common exploitation attempts.

check-mark.png
check-mark.png

Logical exploits protection

Attackers can use existing mechanisms in the operating system—such as DLL-loading processes or built in system processes—to execute malicious code. By enabling this capability, the Cortex XDR agent automatically protects endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.

check-mark.png
check-mark.png

Known vulnerable processes protection

Common applications in the operating system, such as PDF readers, Office applications, and even processes that are a part of the operating system itself can contain bugs and vulnerabilities that an attacker can exploit. By enabling this capability, the Cortex XDR agent protects these processes from attacks which try to exploit known process vulnerabilities.

check-mark.png
check-mark.png
check-mark.png

Exploit protection for additional processes

To extend protection to third-party processes that are not protected by the default policy from exploitation attempts, you can add additional processes to this capability.

check-mark.png
check-mark.png
check-mark.png

Operating system exploit protection

Attackers commonly leverage the operating system itself to accomplish a malicious action. By enabling this capability, the Cortex XDR agent protects operating system mechanisms such as privilege escalation and prevents them from being used for malicious purposes.

check-mark.png
check-mark.png
check-mark.png

Unpatched vulnerabilities protection

If you have Windows endpoints in your network that are unpatched and exposed to a known vulnerability, Palo Alto Networks strongly recommends that you upgrade to the latest Windows Update that has a fix for that vulnerability. If you choose not to patch the endpoint, the Unpatched Vulnerabilities Protection capability allows the Cortex XDR agent to apply a workaround to protect the endpoints from the known vulnerability.

check-mark.png

Malware security profiles

Behavioral threat protection

Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains.

check-mark.png
check-mark.png
check-mark.png

Credential gathering protection

Targets attempts to access and harvest passwords and credentials.

check-mark.png
check-mark.png
check-mark.png

Anti webshell protection

Prevents web shell attacks by continuously monitoring endpoints for processes that try to drop malicious files.

check-mark.png
check-mark.png
check-mark.png

Financial malware threat protection

Targets attempts to access or steal financial or banking information.

check-mark.png
check-mark.png
check-mark.png

Cryptominers protection

Prevents cryptomining by monitoring for processes which attempt to locate or steal cryptocurrencies.

check-mark.png
check-mark.png
check-mark.png

In-process shellcode protection

Targets attempts to run in-process shellcodes that load malicious code.

check-mark.png

Ransomware protection

Targets encryption based activity associated with ransomware to analyze and halt ransomware before any data loss occurs.

check-mark.png
check-mark.png

Prevent malicious child process execution

Prevents script-based attacks used to deliver malware by blocking known targeted processes from launching child processes commonly used to bypass traditional security approaches.

check-mark.png

Portable executables and DLLs examination

Analyzes and prevents malicious executable and DLL files from running.

check-mark.png
check-mark.png

ELF files examination

Analyzes and prevents malicious ELF files from running.

check-mark.png

Local file threat examination

Analyzes and quarantines malicious PHP files arriving from the web server.

check-mark.png

PDF files examination

Analyzes and prevents malicious macros embedded in PDF files from running.

check-mark.png

Office files examination

Analyzes and prevents malicious macros embedded in Microsoft Office files from running.

check-mark.png

Mach-O files examination

Analyzes and prevents malicious mach-o files from running.

check-mark.png

DMG files examination

Analyzes and prevents malicious DMG files from running.

check-mark.png

APK files examination

Analyzes and prevents malicious APK files from running.

check-mark.png

Reverse shell protection

Detects suspicious or abnormal network activity from shell processes and terminate the malicious shell process.

check-mark.png

Network packet inspection engine

Analyzes network packet data to detect malicious behavior.

check-mark.png

Dynamic kernel protection

Protect the endpoint from kernel-level threats such as bootkits, rootkits, and susceptible drivers.

check-mark.png

SMS and MMS malicious URL filtering

check-mark.png

Spam reports

check-mark.png

Call and messages blocking

check-mark.png

Container-escaping attempts

check-mark.png

Network URL filtering

URL filtering for supervised devices

check-mark.png

Cryptocurrency wallets protection

Protection for cryptocurrency wallets stored on endpoints.

check-mark.png
check-mark.png

Restrictions security profiles

Execution paths

Many attack scenarios are based on writing malicious executable files to certain folders such as the local temp or download folder and then running them. Use this capability to restrict the locations from which executable files can run.

check-mark.png

Network locations

To prevent attack scenarios that are based on writing malicious files to remote folders, you can restrict access to all network locations except for those that you explicitly trust.

check-mark.png

Removable media

To prevent malicious code from gaining access to endpoints using external media such as a removable drive, you can restrict the executable files, that users can launch from external drives attached to the endpoints in your network.

check-mark.png

Optical drive

To prevent malicious code from gaining access to endpoints using optical disc drives (CD, DVD, and Blu-ray), you can restrict the executable files, that users can launch from optical disc drives connected to the endpoints in your network.

check-mark.png