Configure malware security profiles to control the actions taken by Cortex XDR agents when known malware, macros, and unknown files try to run.
Malware security profiles protect against the execution of malware including trojans, viruses, worms, and grayware. Malware security profiles serve two main purposes: to define how to treat behavior common with malware, such as ransomware or script-based attacks, and to define how to treat known malware and unknown files.
You can configure the action that Cortex XDR agents take when known malware, macros, and unknown files try to run on endpoints. By default, the Cortex XDR agent will receive the default profile that contains a pre-defined configuration for each malware protection capability supported by the platform. The default setting for each capability is shown in parentheses in the user interface. To fine-tune your malware security policy, you can override the configuration of each capability to block the malicious behavior or file, allow but report it, or disable the module.
For each setting that you override, clear the Use Default option, and select the setting of your choice.
Note
In this profile, the Report options configure the endpoints to report the corresponding suspicious files, actions, processes, or behaviors to Cortex XSIAM, without blocking them. The Disabled options configure the endpoints to neither analyze nor report the corresponding malware or behavior.
The tasks below are organized according to the operating systems used by your organization's endpoints.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Windows platform, and Malware as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure Portable Executable and DLL Examination. The Cortex XDR agent can analyze and prevent malicious executable files and DLL files from running on Windows endpoints.
Note
As part of the anti-malware security flow, the Cortex XDR agent leverages the operating system's capability to identify revoked certificates for executables, and DLL files that attempt to run on the endpoint by accessing the Windows Certificate Revocation List (CRL). To allow the Cortex XDR agent access the CRL, you must enable internet access over port 80 for Windows endpoints. If the endpoint is not connected to the internet, or you experience delays with executables and DLLs running on the endpoint, contact Customer Support.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to run malware, it performs the configured action.
Quarantine Malicious Executables
Disabled
Quarantine WildFire malware verdict
Quarantine WildFire and Local Analysis malware verdict
By default, the Cortex XDR agent blocks malware from running, but does not quarantine the file. You can enable one of the options to quarantine files, depending on the verdict issuer.
Note
The Quarantine Malicious Executables feature is not available for malware identified on network drives.
Action when file is unknown to WildFire
Allow
Run Local Analysis
Block
Allow: Unknown files are not blocked and local verdicts are not issued for them.
Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.
Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.
Action when file is benign with low confidence
Allow
Run Local Analysis
Block
Select the action to take when a file with a Benign Low Confidence verdict from WildFire tries to run on the endpoint. When local analysis is enabled, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file. If you block this file but do not run a local analysis, the file remains blocked until the Cortex XDR agent receives a high-confidence WildFire verdict.
To enable this capability, ensure that WildFire analysis scoring is also enabled in Global Agent Settings.
Warning
For optimal user experience, we recommend that you set the action mode to either Allow or Run Local Analysis.
Upload unknown files to WildFire
Enabled
Disabled
When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.
The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.
Treat Grayware as Malware
Enabled
Disabled
When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.
When disabled, grayware is considered benign, and is not blocked.
Configure options for Office Files with Macros Examination. The Cortex XDR agent can analyze and prevent malicious macros embedded in Microsoft Office files (Word, Excel) from running on Windows endpoints.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to run malware, it performs the configured action.
Action when file is unknown to WildFire
Allow
Run Local Analysis
Block
Select the action to take when a file is not recognized by WildFire. When local analysis is enabled, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.
If you block unknown files, but do not run local analysis, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.
Action when WildFire verdict is Benign Low Confidence
Allow
Run Local Analysis
Block
Select the action to take when a file with a Benign Low Confidence verdict from WildFire tries to run on the endpoint. When local analysis is enabled, the Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.
If you block this file but do not run a local analysis, the file remains blocked until the Cortex XDR agent receives a high-confidence WildFire verdict.
To enable this capability, ensure that WildFire analysis scoring is also enabled in Global Agent Settings.
Warning
For optimal user experience, we recommend that you set the action mode to either Allow or Run Local Analysis.
Upload unknown files to WildFire
Enabled
Disabled
When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis. For macro analysis, the Cortex XDR agent sends the Microsoft Office file containing the macro.
The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.
Examine Office files from network drives
Enabled
Disabled
You can enable the Cortex XDR agent to examine Microsoft Office files on network drives when they contain a macro that attempts to run.
Configure On-write File Protection to monitor and take action on malicious files during the on-write process.
Item
Options
More details
Action Mode
Enabled
Disabled
When enabled, the Cortex XDR agent monitors for malicious files during the on-write process, and if finds any, it sends alerts and quarantines the files.
Configure the Global Behavioral Threat Protection Rules. Use these rules to protect endpoints from malicious causality chains.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent protects against malicious causality chains, using behavioral threat protection rules. When the action mode is set to Block, the Cortex XDR agent terminates all processes and threads in the event chain up to the causality group owner (CGO).
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes and the artifacts, such as files, related to the CGO.
When disabled, the Cortex XDR agent does not quarantine the CGO of an event chain, nor any scripts or files called by the CGO.
Action Mode for Vulnerable Drivers Protection
Block
Report
Disabled
Behavioral threat protection rules can also detect attempts to load vulnerable drivers which can be used to bypass the Cortex XDR agent. As with other rules, Palo Alto Networks threat researchers can deliver changes to vulnerable driver rules with content updates.
Advanced API Monitoring
Enabled
Disabled
When enabled, the Cortex XDR agent adds additional hooks in user mode processes for increased coverage of anti-exploit and anti-malware modules.
Configure Credential Gathering Protection to protect endpoints from processes trying to access or steal passwords and other credentials.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent protects against all processes and threads in the event chain up to the credential gathering process or file.
When this module is disabled, the Cortex XDR agent does not analyze the event chain and does not block credential gathering.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the process or file related to the credential gathering event chain.
Configure Anti Webshell Protection to protect endpoint processes from dropping malicious web shells.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to drop malicious web shells, it performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files that are related to the web shell drop event chain, and any scripts or files called by the web shell dropping process.
Configure Financial Malware Threat Protection to protect against techniques specific to financial and banking malware.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files related to the financial information gathering event chain, and scripts or files called by the financial information gathering process.
Configure Cryptominers Protection to protect against attempts to locate or steal cryptocurrencies.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a cryptomining process or file, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the process or file detected during a cryptocurrency gathering attempt.
Configure In-process shellcode protection to protect against in-process shellcode attack threats.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to run in-process shellcodes to load malicious code, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the in-process shellcode processes or files related to a causality chain.
Process Injection 32 Bit
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines 32 bit in-process shellcode processes or files related to a causality chain.
Configure Malicious Device Prevention to protect against the connection of potentially malicious devices to endpoints.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects the connection of potentially malicious external device to an endpoint, the Cortex XDR agent performs the configured action.
Configure UAC Bypass Prevention to protect against the User Access Control (UAC) bypass mechanism that is associated with privilege elevation attempts.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects a UAC bypass mechanism, the Cortex XDR agent performs the configured action. The Block option blocks all processes and threads in the event chain up to the UAC bypass mechanism.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the UAC bypass processes or files related to the chain, and any scripts or files released to the UAC bypass mechanism.
Configure Anti Tampering Protection to protect against tampering attempts.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects a tampering attempt, including modification and/or termination of the Cortex XDR agent, it performs the configured action.
If you choose the Block option, you must also enable XDR Agent Tampering Protection in the Agent Settings profile, and ensure that both profiles are assigned to the same endpoints.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files that are related to the tampering attempt.
Malicious Safe Mode Rebooting Protection
Block
Report
Disabled
Define the action to take when the Cortex XDR agent detects safe mode reboot attempts made suspiciously by other apps.
Configure IIS Protection to protect against Internet Information Server (IIS) attacks.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects a threat that targets an Internet Information Server (IIS), the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files that are related to the IIS attack.
Configure UEFI Protection, to protect the endpoint from Unified Extensible Firmware Interface (UEFI) manipulation attempts.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects UEFI manipulation attempts, it performs the configured action. When Block is selected, the Cortex XDR agent blocks all processes and threads in the event chain, up to the UEFI threat.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files that are related to the UEFI threat.
Configure Respond to Malicious Causality Chains options, which define the automatic response actions taken by the Cortex XDR agent when it identifies malicious causality chains.
Item
Options
More details
Terminate Connection and Block IP Address of Remote Causality Group Owner
Enabled
Disabled
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication, and to block new connections from this IP address to the endpoint. When Cortex XSIAM blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate.
Configure Ransomware Protection to protect against encryption-based activity associated with ransomware attacks.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects ransomware activity locally on the endpoint or in pre-defined network folders, the Cortex XDR agent performs the configured action.
Quarantine Malicious Process
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes that are related to the ransomware activity.
The Quarantine Malicious Process option is only available if Action Mode is set to Block.
Protection Mode
Normal
Aggressive
By default, Protection Mode is set to Normal, where the decoy files on the endpoint are present, but do not interfere with benign applications and end user activity on the endpoint. If you suspect your network has been infected with ransomware, and you need to provide better coverage, you can apply the Aggressive protection mode. Aggressive mode exposes more applications in your environment to the Cortex XDR agent decoy files. However, it also increases the likelihood that benign software is exposed to decoy files, raising false ransomware alerts, and impairing user experience.
Configure Malicious Child Process Protection to prevent script-based attacks. Such attacks can be used to deliver malware by blocking targeted processes that are commonly used to bypass traditional security methods.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects known suspicious parent-child relationships that are used to bypass security, the Cortex XDR agent performs the configured action. When Block is selected, known suspicious child processes are blocked from starting.
Configure Endpoint Scanning to scan endpoints and attached removable drives for dormant, inactive malware.
Item
Options
More details
End-User Initiated Local Scan
Enabled
Disabled
When enabled, the endpoint user can perform a local scan on the endpoint.
Periodic Scan
Enabled
Disabled
Note
We recommend that you disable scheduled scanning. VDI machine scans are based on the golden image and additional files will be examined upon execution.
Periodic scanning enables you to scan endpoints on a recurring basis without waiting for malware to run on the endpoint. When enabled, you can set the time interval (weekly or monthly) and the day and time at which to start scanning. In addition, you can choose to enable or disable scanning of removable media drives.
Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is turned off, the scan will be initiated when the endpoint is turned on again. The scheduling of future scans is not affected by this delay.
Note
When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.
To prevent attacks that extract passwords from memory using the Mimikatz tool, set Password Theft Protection to Enabled.
Configure the Network Packet Inspection Engine to analyze network packet data for malicious behavior.
Item
Options
More details
Action Mode
Terminate session
Report
Disabled
By analyzing the network packet data, the Cortex XDR agent can already detect malicious behavior at the network level, and provide protection to the growing corporate network boundaries. The engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Cortex XDR Research Team. The Cortex XDR content rules are updated through the security content. This feature focuses on detecting outbound C2 activity.
The Terminate session option configures Cortex XDR agents to analyze connections and to drop the malicious connections.
The Report option configures XDR agents to analyze connections, to allow the transmission of packets in your network, but to report them to Cortex XSIAM.
To save the profile, click Create.
What to do next
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the macOS platform, and Malware as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure the Global Behavioral Threat Protection Rules. These rules can be used to protect endpoints from malicious causality chains.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent protects against malicious causality chains, using behavioral threat protection rules. When the action mode is set to Block, the Cortex XDR agent terminates all processes and threads in the event chain up to the causality group owner (CGO).
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes and the artifacts, such as files, related to the CGO.
When disabled, the Cortex XDR agent does not quarantine the CGO of an event chain, nor any scripts or files called by the CGO.
Configure Credential Gathering Protection to protect endpoints from processes trying to access or steal passwords and other credentials.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent protects against all processes and threads in the event chain up to the credential gathering process or file.
When this module is disabled, the Cortex XDR agent does not analyze the event chain and does not block credential gathering.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the process or file related to the credential gathering event chain.
Configure Anti Webshell Protection to protect endpoint processes from dropping malicious web shells.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to drop malicious web shells, it performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files that are related to the web shell drop event chain, and any scripts or files called by the web shell dropping process.
Configure Financial Malware Threat Protection to protect against techniques specific to financial and banking malware.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files related to the financial information gathering event chain, and scripts or files called by the financial information gathering process.
Configure Cryptominers Protection to protect against attempts to locate or steal cryptocurrencies.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a cryptomining process or file, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the process or file detected during a cryptocurrency gathering attempt.
Configure Anti Tampering Protection to protect against tampering attempts.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects a tampering attempt, including modification and/or termination of the Cortex XDR agent, it performs the configured action.
If you choose the Block option, you must also enable XDR Agent Tampering Protection in the Agent Settings profile, and ensure that both profiles are assigned to the same endpoints.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files that are related to the tampering attempt.
Configure Ransomware Protection to protect against encryption-based activity associated with ransomware attacks.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects ransomware activity locally on the endpoint or in pre-defined network folders, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the files that are related to the ransomware activity.
Configure Malicious Child Process Protection to prevent script-based attacks. Such attacks can be used to deliver malware by blocking targeted processes that are commonly used to bypass traditional security methods.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects known suspicious parent-child relationships that are used to bypass security, the Cortex XDR agent performs the configured action. When Block is selected, known suspicious child processes are blocked from starting.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the files that are related to a malicious child process.
Configure Endpoint Scanning to scan endpoints and attached removable drives for dormant, inactive malware.
Item
Options
More details
Periodic Scan
Enabled
Disabled
Note
We recommend that you disable scheduled scanning. VDI machine scans are based on the golden image and additional files will be examined upon execution.
Periodic scanning enables you to scan endpoints on a recurring basis without waiting for malware to run on the endpoint. When enabled, you can set the time interval (weekly or monthly) and the day and time at which to start scanning. In addition, you can choose to enable or disable scanning of removable media drives.
Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is turned off, the scan will be initiated when the endpoint is turned on again. The scheduling of future scans is not affected by this delay.
Note
When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.
Configure Mach-O Files Examination to check Mach-O files for malware.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to run malware, it performs the configured action.
Quarantine malicious Mach-O files
Disabled
Quarantine WildFire malware verdict
Quarantine WildFire and Locals Analysis malware verdict
By default, the Cortex XDR agent blocks malware from running, but does not quarantine the file. You can enable one of the options to quarantine files, depending on the verdict issuer.
Note
The Quarantine Malicious Mach-O Files feature is not available for malware identified on network drives.
Action on unknown Mach-O files to WildFire
Allow
Run Local Analysis
Block
Allow: Unknown files are not blocked and local verdicts are not issued for them.
Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.
Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.
Upload Mach-O files for cloud analysis
Enabled
Disabled
When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.
The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.
Treat Grayware as Malware
Enabled
Disabled
When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.
When disabled, grayware is considered benign, and is not blocked.
Configure Local File Threat Examination to enable detection of malicious files on the endpoint.
Note
This module is supported by Cortex XDR agent 8.1.0 and later releases.
Item
Options
More details
Action Mode
Enabled
Disabled
When enabled, the Local Threat-Evaluation Engine (LTEE) analyzes the endpoint for PHP files arriving from a web server and alerts about any malicious PHP scripts.
Terminate Malicious Processes
Enabled
Disabled
When enabled, the Cortex XDR agents terminates malicious PHP files on the endpoint.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines malicious files on the endpoint and does not quarantine updated files.
Configure DMG File Examination to check DMG files for malware.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to run malware in DMG files, it performs the configured action.
Quarantine Malicious Executables
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines malicious executable DMG files.
Note
The Quarantine Malicious Executables feature is not available for malware identified on network drives.
Upload unknown files to WildFire
Enabled
Disabled
When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.
The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.
To save the profile, click Create.
What to do next
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Linux platform, and Malware as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure the Global Behavioral Threat Protection Rules. These rules can be used to protect endpoints from malicious causality chains.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent protects against malicious causality chains, using behavioral threat protection rules. When the action mode is set to Block, the Cortex XDR agent terminates all processes and threads in the event chain up to the causality group owner (CGO).
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes and the artifacts, such as files, related to the CGO.
When disabled, the Cortex XDR agent does not quarantine the CGO of an event chain, nor any scripts or files called by the CGO.
Configure Credential Gathering Protection to protect endpoints from processes trying to access or steal passwords and other credentials.
Item
Options
More details
Action Mode
Block
Report
Disabled
The Cortex XDR agent protects against all processes and threads in the event chain up to the credential gathering process or file.
When this module is disabled, the Cortex XDR agent does not analyze the event chain and does not block credential gathering.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the process or file related to the credential gathering event chain.
Configure Anti Webshell Protection to protect endpoint processes from dropping malicious web shells.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to drop malicious web shells, it performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the processes or files that are related to the web shell drop event chain, and any scripts or files called by the web shell dropping process.
Configure Financial Malware Threat Protection to protect against techniques specific to financial and banking malware.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
In a causality chain, when the Cortex XDR agent detects a process that attempts to access or steal financial or banking information, the Cortex XDR agent performs the configured action.
Configure Cryptominers Protection to protect against attempts to locate or steal cryptocurrencies.
Item
Options
More details
Action Mode
Block
Report
Disabled
In a causality chain, when the Cortex XDR agent detects a cryptomining process or file, the Cortex XDR agent performs the configured action.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines the process or file detected during a cryptocurrency gathering attempt.
Configure Container Escaping Protection to protect against container-escaping attempts.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects container escaping attempts, it performs the configured action.
Configure Endpoint Scanning to scan endpoints for dormant, inactive malware.
Note
Endpoint scanning is enabled by default on the following:
/etc,/tmp,/home,/usr,/bin,/sbin,/lib,/var,/opt,/dev,/root,/boot.Item
Options
More details
Periodic Scan
Enabled
Disabled
Note
We recommend that you disable scheduled scanning. VDI machine scans are based on the golden image and additional files will be examined upon execution.
Periodic scanning enables you to scan endpoints on a recurring basis without waiting for malware to run on the endpoint. When enabled, you can set the time interval (weekly or monthly) and the day and time at which to start scanning.
Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is turned off, the scan will be initiated when the endpoint is turned on again. The scheduling of future scans is not affected by this delay.
Note
When periodic scanning is enabled in your profile, the Cortex XDR agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.
Scan Timeout
Number of hours
If a scan exceeds the number of hours configured here, the Cortex XDR agent stops the scan.
Scan Additional Directories
If you want to scan additional directories, click +Add.
Enter a directory path. Use ? to match a single character or * to match any string of characters in the directory path.
Press Enter or click the check mark.
To add additional folders, repeat these steps.
Configure ELF File Examination to examine ELF files on endpoints and perform additional actions on them.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to run malware in ELF files, it performs the configured action.
Quarantine malicious ELF files
Disabled
Quarantine WildFire malware verdict
Quarantine WildFire and Local Analysis malware verdict
By default, the Cortex XDR agent blocks malware from running, but does not quarantine the file. You can enable one of the options to quarantine files, depending on the verdict issuer.
Note
The Quarantine Malicious ELF Files feature is not available for malware identified on network drives.
Action on unknown ELF files to WildFire
Allow
Run Local Analysis
Block
Allow: Unknown files are not blocked and local verdicts are not issued for them.
Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.
Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.
Upload ELF files for cloud analysis
Enabled
Disabled
When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.
The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.
Treat Grayware as Malware
Enabled
Disabled
When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.
When disabled, grayware is considered benign, and is not blocked.
Configure Local File Threat Examination to enable detection of malicious files on the endpoint.
Note
This module is supported by Cortex XDR agent 8.1.0 and later releases.
Item
Options
More details
Action Mode
Enabled
Disabled
When enabled, the Local Threat-Evaluation Engine (LTEE) analyzes the endpoint for PHP files arriving from a web server and alerts about any malicious PHP scripts.
Quarantine Malicious Files
Enabled
Disabled
When enabled, the Cortex XDR agent quarantines malicious files on the endpoint and does not quarantine updated files.
Configure Reverse Shell Protection to prevent attempts to redirect standard input and output streams to network sockets.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to redirect standard input and output streams to network sockets, it performs the configured action.
To save the profile, click Create.
What to do next
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the Android platform, and Malware as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
Configure APK Files Examination, to analyze and prevent malicious APK files from running on endpoints.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects attempts to run malicious APK files, it performs the configured action.
Action on unknown APK files to WildFire
Allow
Run Local Analysis
Block
Allow: Unknown files are not blocked and local verdicts are not issued for them.
Run Local Analysis: The Cortex XDR agent uses embedded machine learning to determine the likelihood that an unknown file is malware, and issues a local verdict for the file.
Block: Block unknown files but do not run local analysis. In this case, unknown files remain blocked until the Cortex XDR agent receives an official WildFire verdict.
Upload APK files for cloud analysis
Enabled
Disabled
When enabled, the Cortex XDR agent sends unknown files to Cortex XSIAM, and Cortex XSIAM sends the files to WildFire for analysis.
The file types that the Cortex XDR agent analyzes depend on the platform type. WildFire accepts files up to 100 MB in size.
Treat Grayware as Malware
Enabled
Disabled
When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.
When enabled, Cortex XSIAM treats all grayware with the same Action Mode as configured for malware.
To save the profile, click Create.
What to do next
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.
Add a new profile and define basic settings.
From Cortex XSIAM, select Endpoints → Policy Management → Prevention → Profiles. Click +Add Profile, and select whether to create a new profile, or to import a profile from a file.
Note
New profiles based on imported profiles are added, and do not replace existing ones.
Select the iOS platform, and Malware as the profile type.
Click Next.
For Profile Name, enter a unique name for the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name will be visible from the list of profiles when you configure a policy rule.
For Description, to provide additional context for the purpose or business reason for creating the profile, enter a profile description. For example, you might include an incident identification number or a link to a help desk ticket.
Configure SMS, MMS and Safari Malicious URL filtering to analyze and block SMS and MMS messages from unknown senders.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects SMS and MMS messages containing malicious URLs from unknown senders, configure the Cortex XDR agent to perform the desired action when Safari is used to access these URLs.
To add numbers to the Block List, click +Add and enter the URL. Press Enter to add more URLs.
To add URLs to the Allow List, define a list on the Legacy Agent Exceptions page.
Configure Spam Reports to report calls and messages as spam to Cortex XSIAM.
Item
Options
More details
Spam Report
Enabled
Disabled
Configure reporting of spam calls and messages to Cortex XSIAM analysts.
Configure Call and Messages Blocking for incoming calls and messages from known numbers.
Item
Options
More details
Action Mode
Block
Report
Disabled
When the Cortex XDR agent detects incoming calls or messages from known spam numbers, the Cortex XDR agent performs the configured action.
To add numbers to the Block List, click +Add and enter the phone number. Press Enter to add more numbers.
To add numbers to the Allow List, define a list on the Legacy Agent Exceptions page.
Note
Ensure that the same numbers are not added multiple times with different leading zeros.
To save the profile, click Create.
What to do next
If you are ready to apply your new profile to endpoints, you do this by adding it to a policy rule. If you still need to define other profiles, you can do this later. During policy rule creation or editing, you select the endpoints to which to assign the policy. There are different ways of doing this, such as:
Navigate to Endpoints → Policy Management → Prevention → Profiles.
Right-click your new profile, and select Create a new policy rule using this profile.
Configure the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Right click an existing policy and select Edit.
Add your new profile to the policy rule.
Navigate to Endpoints → Policy Management → Prevention → Policy Rules.
Click Add Policy.
Configure a new policy that includes your new profile.