Malware protection - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Cortex XSIAM prevents malware attacks and provides protection on endpoints based on the different operating systems.

Malicious files, known as malware, are often disguised as or embedded in non-malicious files. These files can attempt to gain control, gather sensitive information, or disrupt the normal operations of the system. Cortex XSIAM prevents malware by employing the Malware Prevention Engine. This approach combines several layers of protection to prevent both known and unknown malware from causing harm to your endpoints. The mitigation techniques that the Malware Prevention Engine employs vary by endpoint type.

The Malware Prevention Engine uses mitigation methods that implements malware protection on endpoints based on the different operating systems.

Malware protection type

Description

Portable executable and DLL

Enables Cortex XSIAM to analyze and prevent malicious executable files and DLL files from running on Windows endpoints.

Office files with macros examination

Enables Cortex XSIAM to analyze and prevent malicious macros embedded in Microsoft Office files (Word, Excel) from running on Windows endpoints.

On-write file protection

Enables Cortex XSIAM to monitor and take action on malicious files during the on-write process.

Endpoint scanning

Enables Cortex XSIAM to scan endpoints and attached removable drives for dormant, inactive malware.

Global behavioral threat protection rules

Enables Cortex XSIAM to use rules to protect endpoints from malicious causality chains.

Credential gathering protection

Enables Cortex XSIAM to protect endpoints from processes trying to access or steal passwords and other credentials.

Anti webshell protection

Enables Cortex XSIAM to protect endpoint processes from dropping malicious web shells.

Financial malware threat protection

Enables Cortex XSIAM to protect against techniques specific to financial and banking malware.

Cryptominers protection

Enables Cortex XSIAM to protect against attempts to locate or steal cryptocurrencies.

In-process shellcode protection

Enables Cortex XSIAM to protect against in-process shellcode attack threats.

Malicious device protection

Enables Cortex XSIAM to protect against the connection of potentially malicious devices to endpoints.

UAC bypass prevention

Enables Cortex XSIAM to protect against the User Access Control (UAC) bypass mechanism that is associated with privilege elevation attempts.

Malware protection type

Description

Endpoint scanning

Enables Cortex XSIAM to scan endpoints and attached removable drives for dormant, inactive malware.

Global behavioral threat protection rules

Enables Cortex XSIAM to use rules to protect endpoints from malicious causality chains.

Credential gathering protection

Enables Cortex XSIAM to protect endpoints from processes trying to access or steal passwords and other credentials.

Anti webshell protection

Enables Cortex XSIAM to protect endpoint processes from dropping malicious web shells.

Financial malware threat protection

Enables Cortex XSIAM to protect against techniques specific to financial and banking malware.

Cryptominers protection

Enables Cortex XSIAM to protect against attempts to locate or steal cryptocurrencies.

Anti tampering protection

Enables Cortex XSIAM to protect against tampering attempts.

Ransomware protection

Enables Cortex XSIAM to protect against encryption-based activity associated with ransomware attacks.

Malicious child process protection

Enables Cortex XSIAM to prevent script-based attacks. Such attacks can be used to deliver malware by blocking targeted processes that are commonly used to bypass traditional security methods.

Mach-O file examination

Enables Cortex XSIAM to check Mach-O files for malware.

Local file threat examination

Enables Cortex XSIAM to detect malicious files on the endpoint.

DMG file examination

Enables Cortex XSIAM to check DMG files for malware.

Malware protection type

Description

Endpoint scanning

Enables Cortex XSIAM to scan endpoints and attached removable drives for dormant, inactive malware.

Global threat behavioral threat protection rules

Enables Cortex XSIAM to use rules to protect endpoints from malicious causality chains.

Credential gathering protection

Enables Cortex XSIAM to protect endpoints from processes trying to access or steal passwords and other credentials.

Anti webshell protection

Enables Cortex XSIAM to protect endpoint processes from dropping malicious web shells.

Financial malware threat protection

Enables Cortex XSIAM to protect against techniques specific to financial and banking malware.

Cryptominers protection

Enables Cortex XSIAM to protect against attempts to locate or steal cryptocurrencies.

Container escaping protection

Enables Cortex XSIAM to protect against container-escaping attempts.

ELF file examination

Enables Cortex XSIAM to examine ELF files on endpoints and perform additional actions on them.

Local file threat examination

Enables Cortex XSIAM to detect malicious files on the endpoint.

Reverse shell protection

Enables Cortex XSIAM to prevent attempts to redirect standard input and output streams to network sockets.

Malware protection type

Description

APK files examination

Enables Cortex XSIAM to analyze and prevent malicious APK files from running on endpoints.

Malware protection type

Description

URL filtering

Enables Cortex XSIAM to analyze and block or report malicious URLs, and to block or allow custom URLs.

Spam reports

Enables Cortex XSIAM to report calls and messages as spam.

Call and messages blocking

Enables Cortex XSIAM to act on incoming calls and messages from known spam numbers.

Safari browser security module

This security module can provide proactive gating of suspicious sites accessed using Safari, and provides informative site analysis to the device user. This option is recommended for iOS devices that do not belong to your organization and do not use the Network Shield feature.

Network and EDR security module

This module lets you configure granular control and monitoring of network traffic on iOS-based supervised devices. The devices' profiles must be also configured for this on the MDM side as explained in the Cortex XDR Agent iOS Guide.