Add a New Exploit Security Profile

From the Cortex® XDR™ management console, you can customize exploit protection capabilities in each Exploit security profile.
Exploit security profiles allow you to configure the action the
Cortex
XDR
agent takes when attempts to exploit software vulnerabilities or flaws occur. To protect against specific exploit techniques, you can customize exploit protection capabilities in each Exploit security profile.
By default, the
Cortex
XDR
agent will receive the default profile that contains a pre-defined configuration for each exploit capability supported by the platform. To fine-tune your Exploit security policy, you can override the configuration of each capability to block the exploit behavior, allow the behavior but report it, or disable the module.
To define an Exploit security profile:
  1. Add a new profile.
    1. From
      Cortex
      XDR
      , select
      Endpoints
      Policy Management
      Prevention
      Profiles
      + New Profile
      and select whether to
      Create New
      or
      Import from File
      a new profile.
      New imported profiles are added and not replaced.
    2. Select the platform to which the profile applies and
      Exploit
      as the profile type.
    3. Click
      Next
      .
  2. Define the
    General Information
    .
    1. Enter a unique
      Profile Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
      Description
      . For example, you might include an incident identification number or a link to a help desk ticket.
  3. Configure the action to take when the
    Cortex
    XDR
    agent detects an attempt to exploit each type of software flaw.
    For details on the different exploit protection capabilities, see Endpoint Protection Capabilities.
    • Block
      —Block the exploit attack.
    • Report
      —Allow the exploit activity but report it to
      Cortex
      XDR
      .
    • Disabled
      —Disable the module and do not analyze or report exploit attempts.
    • Default
      —Use the default configuration to determine the action to take.
      Cortex
      XDR
      displays the current default configuration for each capability in parenthesis. For example,
      Default (Block)
      .
    To view which processes are protected by each capability, see Processes Protected by Exploit Security Policy .
    For
    Known Vulnerable Process Protection
    , enable to automatically protect endpoints from attacks that try to leverage common operating system mechanisms for malicious purposes. Select either to
    Block
    (default) or
    Report
    . When enabled, select whether to also enable the
    Java Deserialization Protection
    . If enabled, the same action mode defined for the
    Known Vulnerable Process Protection
    is inherited.
    Attackers can use existing mechanisms in the operating system to execute malicious code. By enabling this capability, XDR agent Add the following section in Windows Exploit ProfileKnown Vulnerable Processes ProtectionAction Mode - Block (default) / Report / DisabledInheriting from action mode - Java Deserialization Protection - Enabled / Disabled (default)When the Action mode of Known Vulnerable Processes Protection is set to disabled the Jave protection becomes greyed out and is disabled as well regardless of its value.If enabled, the action mode - report or block is inherited from the main setting.
    For
    Logical Exploits Protection
    , you can also configure a block list for the DLL Hijacking module. The block list enables you to block specific DLLs when run by a protected process. The DLL folder or file must include the complete path. To complete the path, you can use environment variables or the asterisk (
    *
    ) as a wildcard to match any string of characters (for example,
    */windows32/
    ).
    For
    Exploit Protection for Additional Processes
    , you also add one or more additional processes.
    In Exploit Security profiles, if you change the action mode for processes, you must restart the protected processes for the following security modules to take effect on the process and its forked processes: Brute Force Protection, Java Deserialization, ROP, and SO Hijacking.
  4. (
    Windows only
    ) Configure how to address unpatched known vulnerabilities in your network.
    If you have Windows endpoints in your network that are unpatched and exposed to a known vulnerability, Palo Alto Networks strongly recommends that you upgrade to the latest Windows Update that has a fix for that vulnerability.
    If you choose not to patch the endpoint, the
    Unpatched Vulnerabilities Protection
    capability allows the
    Cortex
    XDR
    agent to apply a workaround to protect the endpoints from the known vulnerability. It takes the
    Cortex
    XDR
    agent up to 6 hours to enforce your configured policy on the endpoints.
    To address known vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094, you can
    Modify IPv4 and IPv6 settings
    as follows:
    • Do not modify system settings
      (default)—Do not modify the IPv4 and IPv6 settings currently set on the endpoint, whether the current values are your original values or values that were modified as part of this workaround.
    • Modify system settings until the endpoint is patched
      —If the endpoint is already patched, this option does not modify any system settings. For unpatched endpoints, the
      Cortex
      XDR
      agent runs the following commands to temporarily modify the IPv4 and IPv6 settings until the endpoint is patched. After the endpoint is patched for CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094, all modified Windows system settings as part of this workaround are automatically reverted to their values before modification. Palo Alto Networks strongly recommends that you review these commands before applying this workaround in your network to ensure your critical business components are not affected or harmed:
      netsh int ipv6 set global reassemblylimit=0
      , this command disables IPv6 fragmentation on the endpoint.
      netsh int ipv4 set global sourceroutingbehavior=drop
      , this command disables LSR / loose source routing for IPv4.
    • Revert system settings to your previous settings
      —Revert all Windows system settings to their values before modification as part of this workaround, regardless of whether the endpoint was patched or not.
    This workaround applies only to the specific Windows versions listed as exposed to these CVEs, and requires a
    Cortex
    XDR
    agent 7.1 or later and content 167-51646 or later. This workaround in not recommended for non-persistent, stateless, or linked-clone environments. In some cases, enabling this workaround can affect the network functionality on the endpoint.
  5. Save
    the changes to your profile.
  6. You can do this in two ways: You can
    Create a new policy rule using this profile
    from the right-click menu or you can launch the new policy wizard from
    Policy Rules
    .

Recommended For You