Add a New Malware Security Profile

From the Cortex XDR management console, you can configure what action Cortex XDR agents take when known malware and unknown files try to run.
Malware security profiles allow you to configure the action
Cortex
XDR
agents take when known malware and unknown files try to run on Windows, Mac, Linux, and Android endpoints.
By default, the
Cortex
XDR
agent will receive the default profile that contains a pre-defined configuration for each malware protection capability supported by the platform. To fine-tune your Malware security policy, you can override the configuration of each capability to block the malicious behavior or file, allow but report it, or disable the module. For each setting you override, clear the option to
Use Default
.
To configure a Malware security profile:
  1. Add a new profile.
    1. From
      Cortex
      XDR
      , select
      Endpoints
      Policy Management
      Prevention
      Profiles
      + New Profile
      and select whether to
      Create New
      or
      Import from File
      a new profile.
      New imported profiles are added and not replaced.
    2. Select the platform to which the profile applies and
      Malware
      as the profile type.
  2. Identify the profile.
    1. Enter a unique
      Profile Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
      Description
      . For example, you might include an incident identification number or a link to a help desk ticket.
  3. Configure the
    Cortex
    XDR
    agent to examine executable files, macros, or DLL files on Windows endpoints, Mach-O files
    or DMG files
    on Mac endpoints, ELF files on Linux endpoints, or APK files on Android endpoints.
    1. Configure the
      Action Mode
      —the behavior of the
      Cortex
      XDR
      agent—when malware is detected:
      • Block
        —Block attempts to run malware.
      • Report
        —Report but do not block malware that attempts to run.
      • (
        Android only
        )
        Prompt
        —Enable the
        Cortex
        XDR
        agent to prompt the user when malware is detected and allow the user to choose to allow malware, dismiss the notification, or uninstall the app.
      • Disabled
        —Disable the module and do not examine files for malware.
    2. Configure additional actions to examine files for malware.
      By default,
      Cortex
      XDR
      uses the settings specified in the default malware security profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
      • (
        Windows, Mac starting with
        Cortex
        XDR
        agent 7.4, Linux starting with
        Cortex
        XDR
        agent 7.5
        )
        Quarantine Malicious Executables / Mach-O / ELF files
        —By default, the
        Cortex
        XDR
        agent blocks malware from running but does not quarantine the file. Enable this option to quarantine files depending on the verdict issuer (local analysis, WildFire, or both local analysis and WildFire).
        The quarantine feature is not available for malware identified in network drives.
      • Upload
        <file_type>
        files for cloud analysis
        —Enable the
        Cortex
        XDR
        agent to send unknown files to
        Cortex
        XDR
        , and for
        Cortex
        XDR
        to send the files to WildFire for analysis. With macro analysis, the
        Cortex
        XDR
        agent sends the Microsoft Office file containing the macro. The file types that the
        Cortex
        XDR
        agent analyzes depend on the platform type. WildFire accepts files up to 100MB in size.
      • Treat Grayware as Malware
        —Treat all grayware with the same
        Action Mode
        you configure for malware. Otherwise, if this option is disabled, grayware is considered benign and is not blocked.
      • Action on Unknown to WildFire
        —Select the behavior of the
        Cortex
        XDR
        agent when an unknown file tries to run on the endpoint (
        Allow
        ,
        Run Local Analysis
        , or
        Block
        ). With local analysis, the
        Cortex
        XDR
        agent uses embedded machine learning to determine the likelihood that an unknown file is malware and issues a local verdict for the file. If you block unknown files but do not run local analysis, unknown files remain blocked until the
        Cortex
        XDR
        agent receives an official WildFire verdict.
      • (
        Cortex
        XDR
        agent 7.5 and later for Windows only
        )
        Action when WildFire verdict is Benign with Low Confidence
        —Select the behavior of the
        Cortex
        XDR
        agent when a file with Benign Low Confidence verdict from WildFire tries to run on the endpoint (
        Allow
        ,
        Run Local Analysis
        , or
        Block
        ). With local analysis, the
        Cortex
        XDR
        agent uses embedded machine learning to determine the likelihood that an unknown file is malware and issues a local verdict for the file. If you block these files but do not run local analysis, they remain blocked until the
        Cortex
        XDR
        agent receives a high-confidence WildFire verdict. To enable this capability, ensure that WildFire analysis scoring is enabled in your Global Agent Settings.
        • For optimal user experience, Palo Alto Networks recommends you set the action mode to either
          Allow
          or
          Run Local Analysis
          .
        • Action on Benign LC verdict is supported from agent version 7.5 and above. For agent version 7.4.X, action on Benign LC verdict is the same as the action for files with Unknown verdict.
      • (
        Windows only
        )
        Examine Office Files From Network Drives
        —Enable the
        Cortex
        XDR
        agent to examine Microsoft Office files in network drives when they contain a macro that attempts to run. If this option is disabled, the
        Cortex
        XDR
        agent will not examine macros in network drives.
      (
      Windows only
      ) As part of the anti-malware security flow, the
      Cortex
      XDR
      agent leverages the OS capability to identify revoked certificates for executables and DLL files that attempt to run on the endpoint by accessing the Windows Certificate Revocation List (CRL). To allow the
      Cortex
      XDR
      agent access the CRL, you must enable internet access over port 80 for Windows endpoints running Traps 6.0.3 and later releases, Traps 6.1.1 and later releases, or
      Cortex
      XDR
      7.0 and later releases. If the endpoint is not connected to the internet, or you experience delays with executables and DLLs running on the endpoint, please contact Palo Alto Networks Support.
    3. (
      Optional
      ) Add files and folders to your allow list to exclude them from examination.
      1. +Add
        a file or folder.
      2. Enter the path and press
        Enter
        or click the check mark when done. You can also use a wildcard to match files and folders containing a partial name. Use
        ?
        to match a single character or
        *
        to match any string of characters. To match a folder, you must terminate the path with * to match all files in the folder (for example,
        c:\temp\*
        ).
      3. Repeat to add additional files or folders.
    4. Add signers to your allow list to exclude them from examination.
      When a file that is signed by a signer you included in your allow list attempts to run,
      1. +Add
        a trusted signer.
      2. Enter the name of the trusted signer (Windows) or the SHA1 hash of the certificate that signs the file (Mac) and press
        Enter
        or click the check mark when done. You can also use a wildcard to match a partial name for the signer. Use
        ?
        to match any single character or
        *
        to match any string of characters.
      3. Repeat to add additional folders.
      Cortex
      XDR
      agent evaluates the signer name using the CN (Common Name) value in the digital signature, while the
      Cortex
      XDR
      console can display in the Alerts table both the O (Organization) value and the CN (Common Name).
  4. (
    Windows, Mac, and Linux only
    ) Configure
    Behavioral Threat Protection
    .
    Behavioral threat protection requires Traps agent 6.0 or a later release for Windows endpoints, and Traps 6.1 or later versions for Mac and Linux endpoints.
    With Behavioral threat protection, the agent continuously monitors endpoint activity to identify and analyze chains of events—known as causality chains. This enables the agent to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually. A causality chain can include any sequence of network, process, file, and registry activities on the endpoint. Behavioral threat protection can also identify behavior related to vulnerable drivers on Windows endpoints. For more information on data collection for Behavioral Threat Protection, see Endpoint Data Collected by Cortex XDR.
    Palo Alto Networks researchers define the causality chains that are malicious and distribute those chains as behavioral threat rules. When the
    Cortex
    XDR
    agent detects a match to a behavioral threat protection rule, the
    Cortex
    XDR
    agent carries out the configured action (default is Block). In addition, the
    Cortex
    XDR
    agent reports the behavior of the entire event chain up to the process, known as the causality group owner (CGO), that the
    Cortex
    XDR
    agent identified as triggering the event sequence.
    To configure
    Behavioral Threat Protection
    :
    1. Define the
      Action mode
      to take when the
      Cortex
      XDR
      agent detects malicious causality chains:
      • Block
        (default)—Block all processes and threads in the event chain up to the CGO.
      • Report
        —Allow the activity but report it to
        Cortex
        XDR
        .
      • Disabled
        —Disable the module and do not analyze or report the activity.
    2. Define whether to quarantine the CGO when the
      Cortex
      XDR
      agent detects a malicious event chain.
      • Enabled
        —Quarantine the CGO if the file is not signed by a highly trusted signer. When the CGO is signed by a highly trusted signer or powershell.exe, wscript.exe, cscript.exe, mshta.exe, excel.exe, word.exe or powerpoint.exe, the
        Cortex
        XDR
        agent parses the command-line arguments and instead quarantines any scripts or files called by the CGO.
      • Disabled
        (default)—Do not quarantine the CGO of an event chain nor any scripts or files called by the CGO.
    3. (
      Windows only, requires a
      Cortex
      XDR
      agent 7.2 or a later release
      ) Define the
      Action Mode for Vulnerable Drivers Protection
      .
      Behavioral threat protection rules can also detect attempts to load vulnerable drivers. As with other rules, Palo Alto Networks threat researchers can deliver changes to vulnerable driver rules with content updates.
      • Block
        (default)—Block all attempts to run vulnerable drivers.
      • Report
        —Allow vulnerable drivers to run but report the activity.
      • Disabled
        —Disable the module and do not analyze or report the activity.
    4. (
      Optional
      ) Add files that you do not want the
      Cortex
      XDR
      agent to terminate when a malicious causality chain is detected to your allow list. The allow list does not apply to vulnerable drivers.
      1. +Add
        a file path.
      2. Enter the file path you want to exclude from evaluation. Use
        ?
        to match a single character or
        *
        to match any string of characters.
      3. Click the checkmark to confirm the file path.
      4. Repeat the process to add any additional file paths to your allow list.
  5. (
    Windows only
    )
    Respond to Malicious Causality Chains
    .
    When the
    Cortex
    XDR
    agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can automatically block the IP address to close all existing communication, and block new connections from this IP address to the endpoint. When
    Cortex
    XDR
    blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the
    Action Center
    , as well as unblock them to re-enable communication as appropriate.
    This module is supported with
    Cortex
    XDR
    agent 7.3.0 and later release.
    1. Select the
      Action Mode
      to take when the
      Cortex
      XDR
      agent detects remote malicious causality chains:
      • Enabled
        (default)—Terminate connection and block IP address of the remote connection.
      • Disabled
        —Do not block remote IP addresses.
    2. To allow specific and known safe IP address or IP address ranges that you do not want the
      Cortex
      XDR
      to block, add these IP addresses to your allow list.
      +Add
      and then specify the IP address.
  6. (
    Windows only
    ) Configure
    Ransomware Protection
    .
    1. Define the
      Action mode
      to take when the
      Cortex
      XDR
      agent detects ransomware activity locally on the endpoint or in pre-defined network folders:
      • Block
        (default)—Block the activity.
      • Report
        —Allow the activity but report it to
        Cortex
        XDR
        .
      • Disabled
        —Disable the module and do not analyze or report the activity.
    2. Choose whether you want the
      Cortex
      XDR
      agent to
      Quarantine Malicious Process
      when ransomware is detected.
      The quarantine option is only available if the
      Action mode
      is
      Block
      .
    3. Configure the ransomware module
      Protection mode
      .
      By default, the protection mode is set to
      Normal
      where the decoy files on the endpoint are present, but do not interfere with benign applications and end user activity on the endpoint. If you suspect your network has been infected with ransomware and need to provide better coverage, you can apply the
      Aggressive
      protection mode. The aggressive mode exposes more applications in your environment to the
      Cortex
      XDR
      agent decoy files, while also increasing the likelihood that benign software is exposed to decoy files, raising false ransomware alerts, and impairing user experience.
  7. (
    Windows only
    ) Configure the
    Cortex
    XDR
    agent to
    Prevent Malicious Child Process Execution
    .
    1. Select the
      Action Mode
      to take when the
      Cortex
      XDR
      agent detects malicious child process execution:
      • Block
        —Block the activity.
      • Report
        —Allow the activity but report it to
        Cortex
        XDR
        .
    2. To allow specific processes to launch child processes for legitimate purposes, add the child process to your allow list with optional execution criteria.
      +Add
      and then specify the allow list criteria including the
      Parent Process Name
      ,
      Child Process Name
      , and
      Command Line Params
      . Use
      ?
      to match a single character or
      *
      to match any string of characters.
      If you are adding child process evaluation criteria based on a specific security event, the event indicates both the source process and the command line parameters in one line. Copy only the command line parameter for use in the profile.
  8. (
    Windows and Mac only
    ) Enable endpoint file scanning.
    Periodic scanning enables you to scan endpoints on a reoccurring basis without waiting for malware to run on the endpoint. Periodic scanning is persistent, and if the scan is scheduled to start while the endpoint is powered-off, then scan will be initiated when the endpoint is powered-on again. The scheduling of future scans is not affected by this delay. To better understand how the agent scans the endpoint, refer to Scan an Endpoint for Malware.
    When periodic scanning is enabled in your profile, the
    Cortex
    XDR
    agent initiates an initial scan when it is first installed on the endpoint, regardless of the periodic scanning scheduling time.
    1. Configure the
      Action Mode
      for the
      Cortex
      XDR
      agent to periodically scan the endpoint for malware:
      Enabled
      to scan at the configured intervals,
      Disabled
      (default) if you don’t want the
      Cortex
      XDR
      agent to scan the endpoint.
    2. To configure the scan schedule, set the frequency (
      Run Weekly
      or
      Run Monthly
      ) and day and time at which the scan will run on the endpoint.
      Just as with an on-demand scan, a scheduled scan will resume after a reboot, process interruption, or operating system crash.
    3. (
      Windows only
      )
      To include removable media drives in the scheduled scan, enable the
      Cortex
      XDR
      agent to
      Scan Removable Media Drives
      .
    4. Add folders you your allow list to exclude them from examination.
      1. Add (
        +
        ) a folder.
      2. Enter the folder path. Use
        ?
        to match a single character or
        *
        to match any string of characters in the folder path (for example,
        C:\*\temp
        ).
      3. Press
        Enter
        or click the check mark when done.
      4. Repeat to add additional folders.
  9. (
    Windows Vista and later Windows releases
    ) Enable
    Password Theft Protection
    .
    Select
    Enabled
    to enable the
    Cortex
    XDR
    agent to prevent attacks that use the Mimikatz tool to extract passwords from memory. When set to
    Enabled
    , the
    Cortex
    XDR
    agent silently prevents attempts to steal credentials (no notifications are provided when these events occur). The
    Cortex
    XDR
    agent enables this protection module following the next endpoint reboot. If you don’t want to enable the module, select
    Disabled
    .
    This module is supported with Traps agent 5.0.4 and later release.
  10. (
    Windows only
    ) Configure the
    Network Packet Inspection Engine
    .
    By analyzing the network packet data, the
    Cortex
    XDR
    agent can detect malicious behavior already at the network level and provide protection to the growing corporate network boundaries. The engine leverages both Palo Alto Networks NGFW content rules, and new
    Cortex
    XDR
    content rules created by the Research Team which are updated through the security content.
    This module is supported with
    Cortex
    XDR
    agent 7.5.0 and later release.
    1. Define the
      Action mode
      to take when the
      Cortex
      XDR
      agent detects malicious behavior:
      • Terminate Session
        (default)—Drop the malicious connections. In case of an outgoing connection, also terminate all associated processes.
      • Report
        —Allow the packets in your network but report it to
        Cortex
        XDR
        .
      • Disabled
        —Disable the module and do not analyze or report the activity.
  11. (
    Linux only
    ) Enable
    Local File Threat Examination
    .
    The Local Threat-Evaluation Engine (LTEE) enables the
    Cortex
    XDR
    agent to detect webshells and optionally quarantine malicious PHP files on the endpoint.
    This module is supported with
    Cortex
    XDR
    agent 7.2.0 and later release.
    1. Select the
      Action Mode
      to take when the
      Cortex
      XDR
      agent detects the malicious behavior.
      • Enable
        —Enable the
        Cortex
        XDR
        agent to analyze the endpoint for PHP files arriving from the web server and alert of any malicious PHP scripts.
      • Disable
        —Disable the module and do not analyze or report the activity.
    2. Quarantine malicious files.
      When
      Enabled
      , the
      Cortex
      XDR
      agents quarantine malicious PHP files on the endpoint. The agent quarantines newly created PHP files only, and does not quarantine updated files.
    3. (
      Optional
      ) Add files and folders to your allow list to exclude them from examination.
      1. +Add
        a file or folder.
      2. Enter the path and press
        Enter
        or click the check mark when done. You can also use
        *
        to match files and folders containing a partial name. To match a folder, you must terminate the path with * to match all files in the folder (for example,
        /usr/bin/*
        ).
      3. Repeat to add additional files or folders.
  12. (
    Linux only
    ) Configure
    Reverse Shell Protection
    .
    The Reverse Shell Protection module enables the
    Cortex
    XDR
    agent to detect and optionally block attempts to redirect standard input and output streams to network sockets.
    1. Define the
      Action Mode
      to take when the
      Cortex
      XDR
      agent detects the malicious behavior.
      • Block
        —Block the activity.
      • Report
        —Allow the activity but report it to
        Cortex
        XDR
        .
      • Disabled
        —Disable the module and do not analyze or report the activity.
    2. (
      Optional
      ) Add processes to your allow list that must redirect streams to network sockets.
      1. +Add
        a connection.
      2. Enter the path of the process, and the local and remote IP address and ports.
        Use a wildcard to match a partial path name. Use a
        *
        to match any string of characters (for example,
        */bash
        ). You can also use a
        *
        to match any IP address or any port.
      3. Press
        Enter
        or click the check mark when done.
      4. Repeat to add additional folders.
  13. Save
    the changes to your profile.
  14. You can do this in two ways: You can
    Create a new policy rule using this profile
    from the right-click menu or you can launch the new policy wizard from
    Policy Rules
    .

Recommended For You