Set up malware prevention profiles - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-28
Category
Administrator Guide
Abstract

Configure malware prevention profiles to control the actions taken by Cortex XDR agents when known malware, macros, and unknown files try to run.

Malware prevention profiles protect against the execution of malware including trojans, viruses, worms, and grayware. Malware prevention profiles serve two main purposes: to define how to treat behavior common with malware, such as ransomware or script-based attacks, and to define how to treat known malware and unknown files.

You can configure the action that Cortex XDR agents take when known malware, macros, and unknown files try to run on endpoints. By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration for each malware protection capability supported by the platform. The default setting for each capability is shown in parentheses in the user interface. To fine-tune your malware prevention policy, you can override the configuration of each capability to block the malicious behavior or file, allow but report it, or disable the module.

For each setting that you override, clear the Use Default option, and select the setting of your choice.

Note

In this profile, the Report options configure the endpoints to report the corresponding suspicious files, actions, processes, or behaviors to Cortex XSIAM, without blocking them. The Disabled options configure the endpoints to neither analyze nor report the corresponding malware or behavior.

The tasks below are organized according to the operating systems used by your organization's endpoints.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Windows platform, and Malware as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Portable Executable and DLL Examination. The Cortex XDR agent can analyze and prevent malicious executable files and DLL files from running on Windows endpoints.

    Note

    As part of the anti-malware security flow, the Cortex XDR agent leverages the operating system's capability to identify revoked certificates for executables, and DLL files that attempt to run on the endpoint by accessing the Windows Certificate Revocation List (CRL). To allow the Cortex XDR agent access the CRL, you must enable internet access over port 80 for Windows endpoints. If the endpoint is not connected to the internet, or you experience delays with executables and DLLs running on the endpoint, contact Customer Support.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to run malware, it performs the configured action.

    Quarantine Malicious Executables

    • Disabled

    • Quarantine WildFire malware verdict

    • Quarantine WildFire and Local Analysis malware verdict

    By default, the Cortex XDR agent blocks malware from running, but does not quarantine the file. You can enable one of the options to quarantine files, depending on the verdict issuer.

    Note

    The Quarantine Malicious Executables feature is not available for malware identified on network drives.

    Action when file is unknown to WildFire

    • Allow

    • Run Local Analysis

    • Block

    Allow: Unknown files are not blocked and local verdicts are not issued for them.

    Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.

    Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.

    Action when file is benign with low confidence

    • Allow

    • Run Local Analysis

    • Block

    Select the action to take when a file with a Benign Low Confidence verdict from WildFire tries to run on the endpoint. When local analysis is enabled, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file. If you block this file but do not run a local analysis, the file remains blocked until the Cortex XDR agent receives a high-confidence WildFire verdict.

    To enable this capability, ensure that WildFire analysis scoring is also enabled in Global Agent Settings.

    Warning

    For optimal user experience, we recommend that you set the action mode to either Allow or Run Local Analysis.

    Upload unknown files to WildFire

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.

    The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.

    Treat Grayware as Malware

    • Enabled

    • Disabled

    When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.

    When disabled, grayware is considered benign, and is not blocked.

  3. Configure options for Office Files with Macros Examination. The Cortex XDR agent can analyze and prevent malicious macros embedded in Microsoft Office files (Word, Excel) from running on Windows endpoints.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to run malware, it performs the configured action.

    Action when file is unknown to WildFire

    • Allow

    • Run Local Analysis

    • Block

    Select the action to take when a file is not recognized by WildFire. When local analysis is enabled, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.

    If you block unknown files, but do not run local analysis, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.

    Action when WildFire verdict is Benign Low Confidence

    • Allow

    • Run Local Analysis

    • Block

    Select the action to take when a file with a Benign Low Confidence verdict from WildFire tries to run on the endpoint. When local analysis is enabled, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.

    If you block this file but do not run a local analysis, the file remains blocked until the Cortex XDR agent receives a high-confidence WildFire verdict.

    To enable this capability, ensure that WildFire analysis scoring is also enabled in Global Agent Settings.

    Warning

    For optimal user experience, we recommend that you set the action mode to either Allow or Run Local Analysis.

    Upload unknown files to WildFire

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis. For macro analysis, the Cortex XDR agent sends the Microsoft Office file containing the macro.

    The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.

    Examine Office files from network drives

    • Enabled

    • Disabled

    You can enable the Cortex XDR agent to examine Microsoft Office files on network drives when they contain a macro that attempts to run.

  4. Configure On-write File Protection to monitor and take action on malicious files during the on-write process.

    Item

    Options

    More details

    Action Mode

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent monitors for malicious files during the on-write process, and if finds any, it sends alerts and quarantines the files.

  5. Configure Endpoint Scanning to scan endpoints and attached removable drives for dormant, inactive malware.

    Item

    Options

    More details

    End-User Initiated Local Scan

    • Enabled

    • Disabled

    When enabled, the endpoint user can perform a local scan on the endpoint.

    Periodic Scan

    • Enabled

    • Disabled

    Note

    We recommend that you disable scheduled scanning. VDI machine scans are based on the golden image and additional files will be examined upon execution.

    Periodic scanning enables you to scan endpoints on a recurring basis without waiting for malware to run on the endpoint. When enabled, you can set the time interval (weekly or monthly) and the day and time at which to start scanning. In addition, you can choose to enable or disable scanning of removable media drives.

    Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is turned off, the scan will be initiated when the endpoint is turned on again. The scheduling of future scans is not affected by this delay.

    Note

    When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.

  6. Configure the Global Behavioral Threat Protection Rules. Use these rules to protect endpoints from malicious causality chains.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent protects against malicious causality chains, using behavioral threat protection rules. When the action mode is set to Block, the Cortex XDR agent terminates all processes and threads in the event chain up to the causality group owner (CGO).

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes and the artifacts, such as files, related to the CGO.

    When disabled, the Cortex XDR agent does not quarantine the CGO of an event chain, nor any scripts or files called by the CGO.

    Action Mode for Vulnerable Drivers Protection

    • Block

    • Report

    • Disabled

    Behavioral threat protection rules can also detect attempts to load vulnerable drivers which can be used to bypass the Cortex XDR agent. As with other rules, Palo Alto Networks threat researchers can deliver changes to vulnerable driver rules with content updates.

    Advanced API Monitoring

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent adds additional hooks in user mode processes for increased coverage of anti-exploit and anti-malware modules.

  7. Configure Credential Gathering Protection to protect endpoints from processes trying to access or steal passwords and other credentials.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent protects against all processes and threads in the event chain up to the credential gathering process or file.

    When this module is disabled, the Cortex XDR agent does not analyze the event chain and does not block credential gathering.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the process or file related to the credential gathering event chain.

  8. Configure Anti Webshell Protection to protect endpoint processes from dropping malicious web shells.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to drop malicious web shells, it performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files that are related to the web shell drop event chain, and any scripts or files called by the web shell dropping process.

  9. Configure Financial Malware Threat Protection to protect against techniques specific to financial and banking malware.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files related to the financial information gathering event chain, and scripts or files called by the financial information gathering process.

    Crypto Wallet Protection

    • Enabled

    • Disabled

    When enabled, provides protection for cryptocurrency wallets that are stored on endpoints. Cryptocurrency wallets store private keys that are used to access crypto assets.

  10. Configure Cryptominers Protection to protect against attempts to locate or steal cryptocurrencies.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a cryptomining process or file, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the process or file detected during a cryptocurrency gathering attempt.

  11. Configure In-process shellcode protection to protect against in-process shellcode attack threats.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to run in-process shellcodes to load malicious code, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the in-process shellcode processes or files related to a causality chain.

    Process Injection 32 Bit

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines 32 bit in-process shellcode processes or files related to a causality chain.

    Process injection 32 bit is set to Enabled by default for all new tenants created after 25 June 2023. For tenants created before this date, the default was set to Disabled.

    Shellcode AI Protection

    • Enabled

    • Disabled

    When enabled, Precision AI-based detection rules use machine learning to detect and prevent in-memory shellcode attacks.When enabled, Precision AI-based detection rules use machine learning to detect and prevent in-memory shellcode attacks.

  12. Configure Malicious Device Prevention to protect against the connection of potentially malicious devices to endpoints.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects the connection of potentially malicious external device to an endpoint, the Cortex XDR agent performs the configured action.

  13. Configure UAC Bypass Prevention to protect against the User Access Control (UAC) bypass mechanism that is associated with privilege elevation attempts.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects a UAC bypass mechanism, the Cortex XDR agent performs the configured action. The Block option blocks all processes and threads in the event chain up to the UAC bypass mechanism.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the UAC bypass processes or files related to the chain, and any scripts or files released to the UAC bypass mechanism.

  14. Configure Anti Tampering Protection to protect against tampering attempts.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects a tampering attempt, including modification and/or termination of the Cortex XDR agent, it performs the configured action.

    If you choose the Block option, you must also enable XDR Agent Tampering Protection in the Agent Settings profile, and ensure that both profiles are assigned to the same endpoints.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files that are related to the tampering attempt.

    Malicious Safe Mode Rebooting Protection

    • Block

    • Report

    • Disabled

    Define the action to take when the Cortex XDR agent detects safe mode reboot attempts made suspiciously by other apps.

  15. Configure IIS Protection to protect against Internet Information Server (IIS) attacks.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects a threat that targets an Internet Information Server (IIS), the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files that are related to the IIS attack.

  16. Configure UEFI Protection, to protect the endpoint from Unified Extensible Firmware Interface (UEFI) manipulation attempts.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects UEFI manipulation attempts, it performs the configured action. When Block is selected, the Cortex XDR agent blocks all processes and threads in the event chain, up to the UEFI threat.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files that are related to the UEFI threat.

  17. Configure Ransomware Protection to protect against encryption-based activity associated with ransomware attacks.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects ransomware activity locally on the endpoint or in pre-defined network folders, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Process

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes that are related to the ransomware activity.

    The Quarantine Malicious Process option is only available if Action Mode is set to Block.

    Protection Mode

    • Normal

    • Aggressive

    By default, Protection Mode is set to Normal, where the decoy files on the endpoint are present, but do not interfere with benign applications and end user activity on the endpoint. If you suspect your network has been infected with ransomware, and you need to provide better coverage, you can apply the Aggressive protection mode. Aggressive mode exposes more applications in your environment to the Cortex XDR agent decoy files. However, it also increases the likelihood that benign software is exposed to decoy files, raising false ransomware alerts, and impairing user experience.

  18. Configure Malicious Child Process Protection to prevent script-based attacks. Such attacks can be used to deliver malware by blocking targeted processes that are commonly used to bypass traditional security methods.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects known suspicious parent-child relationships that are used to bypass security, the Cortex XDR agent performs the configured action. When Block is selected, known suspicious child processes are blocked from starting.

  19. To prevent attacks that extract passwords from memory using the Mimikatz tool, set Password Theft Protection to Enabled.

  20. Configure Respond to Malicious Causality Chains options, which define the automatic response actions taken by the Cortex XDR agent when it identifies malicious causality chains.

    Item

    Options

    More details

    Terminate Connection and Block IP Address of Remote Causality Group Owner

    • Enabled

    • Disabled

    When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication, and to block new connections from this IP address to the endpoint. When Cortex XSIAM blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate.

  21. Configure the Network Packet Inspection Engine to analyze network packet data for malicious behavior.

    Item

    Options

    More details

    Action Mode

    • Terminate session

    • Report

    • Disabled

    By analyzing the network packet data, the Cortex XDR agent can already detect malicious behavior at the network level, and provide protection to the growing corporate network boundaries. The engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Cortex XDR Research Team. The Cortex XDR content rules are updated through the security content. This feature focuses on detecting outbound C2 activity.

    The Terminate session option configures Cortex XDR agents to analyze connections and to drop the malicious connections.

    The Report option configures XDR agents to analyze connections, to allow the transmission of packets in your network, but to report them to Cortex XSIAM.

  22. Configure Dynamic Kernel Protection to protect the endpoint from kernel-level threats such as bootkits, rootkits, and susceptible drivers.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When set to Block, this protection module loads during the boot process to protect the endpoint against malicious processes running at boot time.

  23. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the macOS platform, and Malware as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Endpoint Scanning to scan endpoints and attached removable drives for dormant, inactive malware.

    Item

    Options

    More details

    Periodic Scan

    • Enabled

    • Disabled

    Note

    We recommend that you disable scheduled scanning. VDI machine scans are based on the golden image and additional files will be examined upon execution.

    Periodic scanning enables you to scan endpoints on a recurring basis without waiting for malware to run on the endpoint. When enabled, you can set the time interval (weekly or monthly) and the day and time at which to start scanning. In addition, you can choose to enable or disable scanning of removable media drives.

    Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is turned off, the scan will be initiated when the endpoint is turned on again. The scheduling of future scans is not affected by this delay.

    Note

    When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.

  3. Configure the Global Behavioral Threat Protection Rules. These rules can be used to protect endpoints from malicious causality chains.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent protects against malicious causality chains, using behavioral threat protection rules. When the action mode is set to Block, the Cortex XDR agent terminates all processes and threads in the event chain up to the causality group owner (CGO).

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes and the artifacts, such as files, related to the CGO.

    When disabled, the Cortex XDR agent does not quarantine the CGO of an event chain, nor any scripts or files called by the CGO.

  4. Configure Credential Gathering Protection to protect endpoints from processes trying to access or steal passwords and other credentials.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent protects against all processes and threads in the event chain up to the credential gathering process or file.

    When this module is disabled, the Cortex XDR agent does not analyze the event chain and does not block credential gathering.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the process or file related to the credential gathering event chain.

  5. Configure Anti Webshell Protection to protect endpoint processes from dropping malicious web shells.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to drop malicious web shells, it performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files that are related to the web shell drop event chain, and any scripts or files called by the web shell dropping process.

  6. Configure Financial Malware Threat Protection to protect against techniques specific to financial and banking malware.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files related to the financial information gathering event chain, and scripts or files called by the financial information gathering process.

    Crypto Wallet Protection

    • Enabled

    • Disabled

    When enabled, provides protection for cryptocurrency wallets that are stored on endpoints. Cryptocurrency wallets store private keys that are used to access crypto assets.

  7. Configure Cryptominers Protection to protect against attempts to locate or steal cryptocurrencies.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a cryptomining process or file, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the process or file detected during a cryptocurrency gathering attempt.

  8. Configure Anti Tampering Protection to protect against tampering attempts.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects a tampering attempt, including modification and/or termination of the Cortex XDR agent, it performs the configured action.

    If you choose the Block option, you must also enable XDR Agent Tampering Protection in the Agent Settings profile, and ensure that both profiles are assigned to the same endpoints.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files that are related to the tampering attempt.

  9. Configure Ransomware Protection to protect against encryption-based activity associated with ransomware attacks.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects ransomware activity locally on the endpoint or in pre-defined network folders, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the files that are related to the ransomware activity.

  10. Configure Malicious Child Process Protection to prevent script-based attacks. Such attacks can be used to deliver malware by blocking targeted processes that are commonly used to bypass traditional security methods.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects known suspicious parent-child relationships that are used to bypass security, the Cortex XDR agent performs the configured action. When Block is selected, known suspicious child processes are blocked from starting.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the files that are related to a malicious child process.

  11. Configure Mach-O Files Examination to check Mach-O files for malware.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to run malware, it performs the configured action.

    Quarantine malicious Mach-O files

    • Disabled

    • Quarantine WildFire malware verdict

    • Quarantine WildFire and Locals Analysis malware verdict

    By default, the Cortex XDR agent blocks malware from running, but does not quarantine the file. You can enable one of the options to quarantine files, depending on the verdict issuer.

    Note

    The Quarantine Malicious Mach-O Files feature is not available for malware identified on network drives.

    Action on unknown Mach-O files to WildFire

    • Allow

    • Run Local Analysis

    • Block

    Allow: Unknown files are not blocked and local verdicts are not issued for them.

    Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.

    Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.

    Action when WildFire verdict is Benign Low Confidence

    • Allow

    • Run Local Analysis

    • Block

    Select the action to take when a file with a Benign Low Confidence verdict from WildFire tries to run on the endpoint. When local analysis is enabled, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file. If you block this file but do not run a local analysis, the file remains blocked until the Cortex XDR agent receives a high-confidence WildFire verdict.

    Warning

    For optimal user experience, we recommend that you set the action mode to either Allow or Run Local Analysis.

    Upload Mach-O files for cloud analysis

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.

    The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.

    Treat Grayware as Malware

    • Enabled

    • Disabled

    When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.

    When disabled, grayware is considered benign, and is not blocked.

  12. Configure Local File Threat Examination to enable detection of malicious files on the endpoint.

    Note

    This module is supported by Cortex XDR agent 8.1.0 and later releases.

    Item

    Options

    More details

    Action Mode

    • Enabled

    • Disabled

    When enabled, the Local Threat-Evaluation Engine (LTEE) analyzes the endpoint for PHP files arriving from a web server and alerts about any malicious PHP scripts.

    Terminate Malicious Processes

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agents terminates malicious PHP files on the endpoint.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines malicious files on the endpoint and does not quarantine updated files.

  13. Configure DMG File Examination to check DMG files for malware.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to run malware in DMG files, it performs the configured action.

    Quarantine Malicious Executables

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines malicious executable DMG files.

    Note

    The Quarantine Malicious Executables feature is not available for malware identified on network drives.

    Upload unknown files to WildFire

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.

    The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.

  14. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Linux platform, and Malware as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.

  2. Configure Endpoint Scanning to scan endpoints for dormant, inactive malware.

    Note

    Endpoint scanning is enabled by default on the following: /etc, /tmp, /home, /usr, /bin, /sbin, /lib, /var, /opt, /dev, /root, /boot.

    Item

    Options

    More details

    Periodic Scan

    • Enabled

    • Disabled

    Note

    We recommend that you disable scheduled scanning. VDI machine scans are based on the golden image and additional files will be examined upon execution.

    Periodic scanning enables you to scan endpoints on a recurring basis without waiting for malware to run on the endpoint. When enabled, you can set the time interval (weekly or monthly) and the day and time at which to start scanning.

    Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is turned off, the scan will be initiated when the endpoint is turned on again. The scheduling of future scans is not affected by this delay.

    Note

    When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.

    Scan Timeout

    Number of hours

    If a scan exceeds the number of hours configured here, the Cortex XDR agent stops the scan.

    Scan Additional Directories

    1. If you want to scan additional directories, click +Add.

    2. Enter a directory path. Use ? to match a single character or * to match any string of characters in the directory path.

    3. Press Enter or click the check mark.

    4. To add additional folders, repeat these steps.

  3. Configure the Global Behavioral Threat Protection Rules. These rules can be used to protect endpoints from malicious causality chains.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent protects against malicious causality chains, using behavioral threat protection rules. When the action mode is set to Block, the Cortex XDR agent terminates all processes and threads in the event chain up to the causality group owner (CGO).

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes and the artifacts, such as files, related to the CGO.

    When disabled, the Cortex XDR agent does not quarantine the CGO of an event chain, nor any scripts or files called by the CGO.

  4. Configure Credential Gathering Protection to protect endpoints from processes trying to access or steal passwords and other credentials.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    The Cortex XDR agent protects against all processes and threads in the event chain up to the credential gathering process or file.

    When this module is disabled, the Cortex XDR agent does not analyze the event chain and does not block credential gathering.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the process or file related to the credential gathering event chain.

  5. Configure Anti Webshell Protection to protect endpoint processes from dropping malicious web shells.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to drop malicious web shells, it performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the processes or files that are related to the web shell drop event chain, and any scripts or files called by the web shell dropping process.

  6. Configure Financial Malware Threat Protection to protect against techniques specific to financial and banking malware.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.

  7. Configure Cryptominers Protection to protect against attempts to locate or steal cryptocurrencies.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    In a causality chain, when the Cortex XDR agent detects a cryptomining process or file, the Cortex XDR agent performs the configured action.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines the process or file detected during a cryptocurrency gathering attempt.

  8. Configure Container Escaping Protection to protect against container-escaping attempts.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects container escaping attempts, it performs the configured action.

  9. Configure ELF File Examination to examine ELF files on endpoints and perform additional actions on them.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to run malware in ELF files, it performs the configured action.

    Quarantine malicious ELF files

    • Disabled

    • Quarantine WildFire malware verdict

    • Quarantine WildFire and Local Analysis malware verdict

    By default, the Cortex XDR agent blocks malware from running, but does not quarantine the file. You can enable one of the options to quarantine files, depending on the verdict issuer.

    Note

    The Quarantine Malicious ELF Files feature is not available for malware identified on network drives.

    Action on unknown ELF files to WildFire

    • Allow

    • Run Local Analysis

    • Block

    Allow: Unknown files are not blocked and local verdicts are not issued for them.

    Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.

    Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.

    Upload ELF files for cloud analysis

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.

    The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.

    Treat Grayware as Malware

    • Enabled

    • Disabled

    When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.

    When disabled, grayware is considered benign, and is not blocked.

  10. Configure Local File Threat Examination to enable detection of malicious files on the endpoint.

    Note

    This module is supported by Cortex XDR agent 8.1.0 and later releases.

    Item

    Options

    More details

    Action Mode

    • Enabled

    • Disabled

    When enabled, the Local Threat-Evaluation Engine (LTEE) analyzes the endpoint for PHP files arriving from a web server and alerts about any malicious PHP scripts.

    Quarantine Malicious Files

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent quarantines malicious files on the endpoint and does not quarantine updated files.

  11. Configure Reverse Shell Protection to prevent attempts to redirect standard input and output streams to network sockets.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to redirect standard input and output streams to network sockets, it performs the configured action.

  12. To save the profile, click Create.

  1. Add a new profile and define basic settings.

    1. From Cortex XSIAM, select EndpointsPolicy ManagementPreventionProfiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.

      Note

      New profiles based on imported profiles are added, and do not replace existing ones.

    2. Select the Android platform, and Malware as the profile type.

    3. Click Next.

    4. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

    5. For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.

  2. Configure APK Files Examination, to analyze and prevent malicious APK files from running on endpoints.

    Item

    Options

    More details

    Action Mode

    • Block

    • Report

    • Disabled

    When the Cortex XDR agent detects attempts to run malicious APK files, it performs the configured action.

    Action on unknown APK files to WildFire

    • Allow

    • Run Local Analysis

    • Block

    Allow: Unknown files are not blocked and local verdicts are not issued for them.

    Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.

    Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.

    Upload APK files for cloud analysis

    • Enabled

    • Disabled

    When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.

    The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.

    Treat Grayware as Malware

    • Enabled

    • Disabled

    When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.

    When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.

  3. To save the profile, click Create.