Processes to be Whitelisted on EDR Deployments

Here are the ADEM processes that you must whitelist on your EDR deployments in order for Autonomous DEM to run.
MacOS Process
Process
Process Description
User/Permission level
/Applications/GlobalProtect Autonomous DEM.app/Contents/MacOS/crypter
(This is a debugging tool as of 3.0.0) In previous versions it was used to read encrypted data from GlobalProtect: username, subtenant_id,certificate password.
_panwdem (sudo)
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemPathTestService.xpc/Contents/MacOS/mtr
Path Trace test for showing path visualization data on ADEM portal
_panwdem (sudo)
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemPathTestService.xpc/Contents/MacOS/DemPathTestService
Invokes the mtr process for path traces.
_panwdem
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemWebTestService.xpc/Contents/MacOS/DemWebTestService
Runs the curl process.
_panwdem
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemWebTestService.xpc/Contents/MacOS/curl
Application Performance test using Curl
_panwdem
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemUpdateService.xpc/Contents/MacOS/DemUpdateService
Endpoint DEM service software update manager
root
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemNetworkTestService.xpc/Contents/MacOS/DemNetworkTestService
Runs ICMP/TCP ping tests.
_panwdem
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemCollectionService.xpc/Contents/MacOS/DemCollectionService
Collects local system metrics such as cpu, memory, and wifi statistics.
_panwdem
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemPortalService.xpc/Contents/MacOS/DemPortalService
Provides connectivity to the ADEM portal for incoming configuration and transmission of test results.
_panwdem
/Applications/GlobalProtect Autonomous DEM.app/Contents/Services/DemTransmissionService.xpc/Contents/MacOS/DemTransmissionService
Runs periodically to collect test results from the other services and transmits them to the portal via the portal service.
_panwdem
/etc/sudoers.d/‘palo_alto_networks_dem.tmp’
File lists processes that requires sudo access
_panwdem (sudo)
Windows Process
Process
Process Description
User/Permission level
C:\Program Files\Palo Alto Networks\DEM\bin\curl
Application Performance test using Curl
Network Service
C:\Program Files\Palo Alto Networks\DEM\bin\mtr-packet
Path Trace test for showing path visualization data on ADEM portal
Network Service
C:\Program Files\Palo Alto Networks\DEM\bin\mtr
Invokes the mtr process for path traces.
Network Service
C:\Program Files\Palo Alto Networks\DEM\bin\tcping
Network Performance test for Applications using TCP Ping
Network Service
C:\Program Files\Palo Alto Networks\DEM\AgentProcess
This is the main agent process that provides portal connectivity and test coordination.
Local System
C:\Program Files\Palo Alto Networks\DEM\GlobalProtectAutonomousDEM
The main service that launches the AgentProcess.
Local System
C:\Program Files\Palo Alto Networks\DEM\GlobalProtectAutonomousDEMUpdater
Endpoint DEM service software update manager
Local System

Recommended For You