Exploit prevention profiles control the action that the Cortex XDR agent takes when attempts to exploit software vulnerabilities or flaws occur.
Exploit prevention profiles block attempts to exploit system flaws in browsers, and in the operating system. For example, exploit prevention profiles help protect against exploit kits, illegal code execution, and other attempts to exploit process and system vulnerabilities.
You can configure the action that the Cortex XDR agent takes when attempts to exploit software vulnerabilities or flaws occur. To protect against specific exploit techniques, you can customize exploit protection capabilities in each exploit prevention profile. Default settings are shown in parentheses. To fine-tune your exploitprevention policy, you can override the configuration of each capability to block the malicious exploit, allow but report it, or disable the module.
To view which processes are protected by each capability, see Processes Protected by Exploit Security Policy.
For each setting that you override, clear the corresponding option to Use Default, and select the setting of your choice.
Note
In this profile, the Report options configure the endpoints to report the corresponding exploit attempts to Cortex XSIAM, without blocking them. The Disabled options configure the endpoints to neither analyze nor report the corresponding malware or behavior.
The tasks below are organized according to the operating systems used by your organization's endpoints.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Windows platform, and Exploit as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure Browser Exploits Protection, to protect endpoints from malicious or compromised websites.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to exploit browser processes for malicious purposes, it performs the configured action.
Configure Logical Exploits Protection to prevent execution of malicious code using common operating system mechanisms.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to execute malicious code using operating system mechanisms, it performs the configured action.
Block List DLLs
The block list blocks the specified DLLs when they are run by a protected process, using the DLL Hijacking module.
Click +Add to configure entries in your Block List.
Enter the name of the process that you want to block.
Enter the associated DLL name.
The DLL folder or file must include the complete path. To complete the path, you can use environment variables or the asterisk (
*
) as a wildcard to match any string of characters (for example,*/windows32/
).
Configure Known Vulnerable Processes Protection to automatically protect endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.
Item
Options
More details
Action Mode
Block
Report
Disabled
Attackers can use existing mechanisms in the operating system to execute malicious code. When you set this option to Block, in order to block such code, you can also configure Java Deserialization Protection.
Java Deserialization Protection
Enabled
Disabled
When enabled, the same action mode defined for the Known Vulnerable Process Protection is inherited here.
Configure Operating System Exploit Protection to prevent attackers from using operating system mechanisms for malicious purposes.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to use the operating system's own mechanisms to perform an attack, the Cortex XDR agent performs the configured action.
Configure Exploit Protection for Additional Processes to protect third-party processes running on endpoints.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent can protect third-party processes from exploitation. To protect these processes, define them in the Processes list below this field. If you select the Block option, we recommend that you perform testing and validation to ensure that there are no compatibility issues with the third-party processes that you have defined.
Note
In exploit prevention profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes:
Brute Force Protection
Java Deserialization
ROP
SO Hijacking
Processes
If you want to add exploit protection for one or more additional third-party processes, add them here.
Click +Add to configure entries in your Processes list.
Enter the file name of the process that you want to block, and press ENTER.
For additional processes, repeat the previous steps.
Configure Unpatched Vulnerabilities Protection to provide a temporary workaround for protecting unpatched endpoints from known vulnerabilities.
Note
This step provides a temporary workaround for the following publicly known information-security vulnerabilities and exposures: CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094.
If you choose not to patch the endpoint, the Unpatched Vulnerabilities Protection capability allows the Cortex XDR agent to apply a workaround to protect the endpoints from the known vulnerability. It takes the Cortex XDR agent up to 6 hours to enforce your configured policy on the endpoints.
Note
If you have Windows endpoints in your network that are unpatched and exposed to a known vulnerability, we strongly recommend that you upgrade to the latest Windows Update that has a fix for that vulnerability.
Item
Options
More details
Modify IPv4 and IPv6 Settings
Do not modify system settings
Modify settings until the endpoint is patched
Revert system settings to your previous settings
To address known vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094, you can Modify IPv4 and IPv6 settings as follows:
Do not modify system settings (default): Do not modify the IPv4 and IPv6 settings currently set on the endpoint, whether the current values are your original values or values that were modified as part of this workaround.
Modify system settings until the endpoint is patched: If the endpoint is already patched, this option does not modify any system settings. For unpatched endpoints, the Cortex XDR agent runs the following commands to temporarily modify the IPv4 and IPv6 settings until the endpoint is patched. After the endpoint is patched for CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094, all modified Windows system settings as part of this workaround are automatically reverted to their values before modification. Palo Alto Networks strongly recommends that you review these commands before applying this workaround in your network to ensure your critical business components are not affected or harmed:
netsh int ipv6 set global reassemblylimit=0
This command disables IPv6 fragmentation on the endpoint.
netsh int ipv4 set global sourceroutingbehavior=drop
This command disables LSR / loose source routing for IPv4.
Revert system settings to your previous settings: Revert all Windows system settings to their values before modification as part of this workaround, regardless of whether the endpoint was patched or not.
Warning
This workaround applies only to the specific Windows versions listed as exposed to these CVEs, and requires a Cortex XDR agent release 7.1 or later and content 167-51646 or later. This workaround is not recommended for non-persistent, stateless, or linked-clone environments. In some cases, enabling this workaround can affect the network functionality on the endpoint.
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the macOS platform, and Exploit as the profile type.
Click Next.
Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure Browser Exploits Protection, to protect endpoints from malicious or compromised websites.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to exploit browser processes for malicious purposes, it performs the configured action.
Configure Logical Exploits Protection to prevent execution of malicious code using common operating system mechanisms.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to execute malicious code using operating system mechanisms, it performs the configured action.
Configure Known Vulnerable Processes Protection to automatically protect endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.
Item
Options
More details
Action Mode
Block
Report
Disabled
Attackers can use existing mechanisms in the operating system to execute malicious code. When you set this option to Block, in order to block such code, you can also configure Java Deserialization Protection.
Configure Operating System Exploit Protection to prevent attackers from using operating system mechanisms for malicious purposes.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to use the operating system's own mechanisms to perform an attack, the Cortex XDR agent performs the configured action.
Configure Exploit Protection for Additional Processes to protect third-party processes running on endpoints.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent can protect third-party processes from exploitation. To protect these processes, define them in the Processes list below this field. If you select the Block option, we recommend that you perform testing and validation to ensure that there are no compatibility issues with the third-party processes that you have defined.
Note
In exploit prevention profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes:
Brute Force Protection
Java Deserialization
ROP
SO Hijacking
Processes
If you want to add exploit protection for one or more additional third-party processes, add them here.
Click +Add to configure entries in your Processes list.
Enter the file name of the process that you want to block, and press ENTER.
For additional processes, repeat the previous steps.
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Linux platform, and Exploit as the profile type.
Click Next.
Enter a unique Profile Name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure Known Vulnerable Processes Protection to automatically protect endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.
Item
Options
More details
Action Mode
Block
Report
Disabled
Attackers can use existing mechanisms in the operating system to execute malicious code. When you set this option to Block, in order to block such code, you can also configure Java Deserialization Protection.
Configure Operating System Exploit Protection to prevent attackers from using operating system mechanisms for malicious purposes.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to use the operating system's own mechanisms to perform an attack, the Cortex XDR agent performs the configured action.
Configure Exploit Protection for Additional Processes to protect third-party processes running on endpoints.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent can protect third-party processes from exploitation. To protect these processes, define them in the Processes list below this field. If you select the Block option, we recommend that you perform testing and validation to ensure that there are no compatibility issues with the third-party processes that you have defined.
Note
In exploit prevention profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes:
Brute Force Protection
Java Deserialization
ROP
SO Hijacking
Processes
If you want to add exploit protection for one or more additional third-party processes, add them here.
Click +Add to configure entries in your Processes list.
Enter the file name of the process that you want to block, and press ENTER.
For additional processes, repeat the previous steps.
To save the profile, click Create.
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.