Endpoint Protection Capabilities

The endpoint protection capabilities vary depending on the platform (operating system) that is used on each of your endpoints.
Each security profile provides a tailored list of protection capabilities that you can configure for the platform you select. The following table describes the protection capabilities you can customize in a security profile. The table also indicates which platforms support the protection capability (a dash (—) indicates the capability is not supported).
Protection Capability
Windows
Mac
Linux
Android
Exploit Security Profiles
Browser Exploits Protection
Browsers can be subject to exploitation attempts from malicious web pages and exploit kits that are embedded in compromised websites. By enabling this capability, the Cortex XDR agent automatically protects browsers from common exploitation attempts.
Logical Exploits Protection
Attackers can use existing mechanisms in the operating system—such as DLL-loading processes or built in system processes—to execute malicious code. By enabling this capability, the Cortex XDR agent automatically protects endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes.
Known Vulnerable Processes Protection
Common applications in the operating system, such as PDF readers, Office applications, and even processes that are a part of the operating system itself can contain bugs and vulnerabilities that an attacker can exploit. By enabling this capability, the Cortex XDR agent protects these processes from attacks which try to exploit known process vulnerabilities.
Exploit Protection for Additional Processes
To extend protection to third-party processes that are not protected by the default policy from exploitation attempts, you can add additional processes to this capability.
Operating System Exploit Protection
Attackers commonly leverage the operating system itself to accomplish a malicious action. By enabling this capability, the Cortex XDR agent protects operating system mechanisms such as privilege escalation and prevents them from being used for malicious purposes.
Unpatched Vulnerabilities Protection
If you have Windows endpoints in your network that are unpatched and exposed to a known vulnerability, Palo Alto Networks strongly recommends that you upgrade to the latest Windows Update that has a fix for that vulnerability. If you choose not to patch the endpoint, the Unpatched Vulnerabilities Protection capability allows the Cortex XDR agent to apply a workaround to protect the endpoints from the known vulnerability.
Malware Security Profiles
Behavioral Threat Protection
Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains.
Ransomware Protection
Targets encryption based activity associated with ransomware to analyze and halt ransomware before any data loss occurs.
Prevent Malicious Child Process Execution
Prevents script-based attacks used to deliver malware by blocking known targeted processes from launching child processes commonly used to bypass traditional security approaches.
Portable Executables and DLLs Examination
Analyze and prevent malicious executable and DLL files from running.
ELF Files Examination
Analyze and prevent malicious ELF files from running.
Local File Threat Examination
Analyze and quarantine malicious PHP files arriving from the web server.
Office Files Examination
Analyze and prevent malicious macros embedded in Microsoft Office files from running.
Mach-O Files Examination
Analyze and prevent malicious mach-o files from running.
DMG Files Examination
Analyze and prevent malicious DMG files from running.
APK Files Examination
Analyze and prevent malicious APK files from running.
Reverse Shell Protection
Detect suspicious or abnormal network activity from shell processes and terminate the malicious shell process.
Restrictions Security Profiles
Execution Paths
Many attack scenarios are based on writing malicious executable files to certain folders such as the local temp or download folder and then running them. Use this capability to restrict the locations from which executable files can run.
Network Locations
To prevent attack scenarios that are based on writing malicious files to remote folders, you can restrict access to all network locations except for those that you explicitly trust.
Removable Media
To prevent malicious code from gaining access to endpoints using external media such as a removable drive, you can restrict the executable files, that users can launch from external drives attached to the endpoints in your network.
Optical Drive
To prevent malicious code from gaining access to endpoints using optical disc drives (CD, DVD, and Blu-ray), you can restrict the executable files, that users can launch from optical disc drives connected to the endpoints in your network.

Recommended For You