Browsers can be subject to exploitation attempts from malicious web pages and exploit kits that are embedded in compromised websites. By enabling this capability, the

Cortex

XDR

agent automatically protects browsers from common exploitation attempts.

—

Attackers can use existing mechanisms in the operating system—such as DLL-loading processes or built in system processes—to execute malicious code. By enabling this capability, the

Cortex

XDR

agent automatically protects endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.

—

Common applications in the operating system, such as PDF readers, Office applications, and even processes that are a part of the operating system itself can contain bugs and vulnerabilities that an attacker can exploit. By enabling this capability, the

Cortex

XDR

agent protects these processes from attacks which try to exploit known process vulnerabilities.

To extend protection to third-party processes that are not protected by the default policy from exploitation attempts, you can add additional processes to this capability.

Attackers commonly leverage the operating system itself to accomplish a malicious action. By enabling this capability, the

Cortex

XDR

agent protects operating system mechanisms such as privilege escalation and prevents them from being used for malicious purposes.

If you have Windows endpoints in your network that are unpatched and exposed to a known vulnerability, Palo Alto Networks strongly recommends that you upgrade to the latest Windows Update that has a fix for that vulnerability. If you choose not to patch the endpoint, the Unpatched Vulnerabilities Protection capability allows the

Cortex

XDR

agent to apply a workaround to protect the endpoints from the known vulnerability.

—

—

Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains.

Targets encryption based activity associated with ransomware to analyze and halt ransomware before any data loss occurs.

—

—

Prevents script-based attacks used to deliver malware by blocking known targeted processes from launching child processes commonly used to bypass traditional security approaches.

—

—

Analyze and prevent malicious executable and DLL files from running.

—

—

Analyze and prevent malicious ELF files from running.

—

—

Analyze and quarantine malicious PHP files arriving from the web server.

—

—

Analyze and prevent malicious macros embedded in Microsoft Office files from running.

—

—

Analyze and prevent malicious mach-o files from running.

—

—

Analyze and prevent malicious DMG files from running.

—

—

Analyze and prevent malicious APK files from running.

—

—

—

Detect suspicious or abnormal network activity from shell processes and terminate the malicious shell process.

—

—

Analyze network packet data to detect malicious behavior.

—

—

Many attack scenarios are based on writing malicious executable files to certain folders such as the local temp or download folder and then running them. Use this capability to restrict the locations from which executable files can run.

—

—

To prevent attack scenarios that are based on writing malicious files to remote folders, you can restrict access to all network locations except for those that you explicitly trust.

—

—

To prevent malicious code from gaining access to endpoints using external media such as a removable drive, you can restrict the executable files, that users can launch from external drives attached to the endpoints in your network.

—

—