Exploit Protection Rules
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Exploit Protection Rules
An exploit protection rule uses exploit protection modules
(EPMs) to protect processes in your organization from specific exploitation
techniques. An EPM is a code module that you activate for one or
more processes to prevent attacks on program vulnerabilities related
to memory corruption or logic flaws.
The default security policy contains a preconfigured set of exploit
protection rules that are activated for commonly used protected
processes. You can also add additional applications that are important
to your organization to the list of protected or provisional processes
and then configure additional exploit protection rules. For example,
to protect two processes that your organization uses (for example,
ProcessA.exe and ProcessB.exe) from a specific type of memory corruption
attack called return oriented programming (ROP), you can add the
processes to the protected processes list and then create an exploit
protection rule that activates the ROP Mitigation EPM. When a user
opens a file or URL, the Traps agent injects code into the protected
process or processes involved in opening the file and activates
the EPM. If the file contains code designed to exploit APIs used
in ROP chains, Traps blocks the memory corruption attack. When a
security event triggers a prevention, the Traps agent also takes
a snapshot of the memory for subsequent forensic investigation.
On a regular basis, the Traps agent retrieves the latest security
policy from the ESM Server. The security policy determines which
processes Traps protects and the type of EPM that Traps activates
to protect the process.
View a summary of exploit protection rules on the PoliciesExploitProtection Modules page. Selecting
a rule on the page displays further information about the rule and
other actions that you can take on the rule (Delete, Activate/Deactivate,
or Edit).
Consult with Palo Alto Networks Support before making any
changes to the EPMs in security policy rules.