Add a New Protected Process

A process is an active instance of a program that is executed by the operating system. You can view all active processes that are currently running including the names of core system processes using standard programs or commands (for example Windows Task Manager on Windows endpoints or the macOS Activity Monitor on Mac endpoints). Many core system processes are protected by the operating system and cannot be renamed. Changing the name of these system process—for example, changing the name of the calc.exe process to calc1.exe—can cause the process to stop functioning. Because Traps identifies processes by name, changing the name of a process can also prevent Traps from applying protection rules to the new process name.

The ESM Console is preconfigured with a Default Protection Policy that protects the most vulnerable and most commonly used processes on Windows, Mac, and Linux endpoints. You can protect additional uncommon, third-party, and proprietary processes by adding their names to the list of protected processes. Each rule in the exploit protection policy protects one or more processes from a specific type of exploit or vulnerability using exploit protection modules (EPMs). Depending on the configuration, Traps can activate the EPM in all processes or in specific process names. Adding a new process to the list of protected processes enables you to automatically protect the process-without any additional configuration-using any exploit protection rules that apply to all processes.

To ensure process protection continues, we recommend that you do not change the names of commonly used processes on the system. If a process name change is required, ensure that you add the renamed process as a protected process and mirror the protection rules for the old process name. As needed, you can also configure additional exploit protection rules to protect the process.

By extending protection to the applications that are important to your organization, you can provide maximum protection with minimal disruption of day-to-day activities. Add processes as either protected, provisional, or unprotected and configure them using the Process Management page.

You can configure only exploit protection rules on Protected or Provisional processes.

You cannot change the default Protected processes that are included in the initial setup. Consult the Palo Alto Networks support team for questions.

1. Navigate to the Process Management page.
   From the ESM Console, select PoliciesExploitProcess Management.
2. Select the operating system.
3. Add a new process.
   1. From the action menu
      , select Add.
   2. Enter the Process name.
   3. To actively protect the process using default and user-defined exploit protection rules, set the Protection type to Protected. For additional options, see Process Protection Types.
4. Save your changes to the process.
   Click Create.
5. For each new protected Windows process, configure an exploit protection rule to activate the ROP Mitigation EPM in the process and another exploit protection rule to activate the JIT Mitigation EPM in the process.
   These exploit protection rules provide the best protection with the lowest false-positive rate.
   1. For each EPM, Create an Exploit Protection Rule with the following settings:
      EPM:

      • Activation—On
      • Action—Notification
      • User Alert—Off

      Processes:

      Select the new protected process.

      Objects:

      To identify any unintended consequences of protecting the new process, select a small number of endpoints. If you have different environments within your organization (for example, different operating systems), we recommend that you select a few endpoints in each environment.
   2. Apply the rule and then repeat the process for the second EPM.
   3. After a period in which no issues are caused by the new rules, update and then apply the rule settings:
      EPM:

      • Action—Prevention
      • User Alert—On

      Objects:

      Expand the rule deployment: Add additional objects or remove all objects. In the case of the latter, if no objects are specified, the rule applies to all endpoints.