About Cortex XDR Endpoint Protection

Cyberattacks are attacks performed on networks or endpoints to inflict damage, steal information, or achieve other goals that involve taking control of computer systems that do not belong to the attackers. These adversaries perpetrate cyberattacks either by causing a user to unintentionally run a malicious executable file, known as
malware
, or by exploiting a weakness in a legitimate executable file to run malicious code behind the scenes without the knowledge of the user.
One way to prevent these attacks is to identify executable files, dynamic-link libraries (DLLs), and other pieces of code to determine if they are malicious and, if so, to prevent them from executing by testing each potentially dangerous code module against a list of specific, known threat signatures. The weakness of this method is that it is time-consuming for signature-based antivirus (AV) solutions to identify newly created threats that are known only to the attacker (also known as zero-day attacks or exploits) and add them to the lists of known threats, which leaves endpoints vulnerable until signatures are updated.
Cortex XDR takes a more efficient and effective approach to preventing attacks that eliminates the need for traditional AV. Rather than try to keep up with the ever-growing list of known threats, Cortex XDR sets up a series of roadblocks—traps, if you will—that prevent the attacks at their initial entry points—the point where legitimate executable files are about to unknowingly allow malicious access to the system.
Cortex XDR provides a multi-method protection solution with exploit protection modules that target software vulnerabilities in processes that open non-executable files and malware protection modules that examine executable files, DLLs, and macros for malicious signatures and behavior. Using this multi-method approach, the Cortex XDR solution can prevent all types of attacks, whether they are known or unknown threats.
cortex-xdr-multi-method-prevention.png

Exploit Protection Overview

An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use these exploits to access and use a system to their advantage. To gain control of a system, the attacker must exploit a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the entire exploitation attempt.
To combat an attack in which an attacker takes advantage of a software exploit or vulnerability, Cortex XDR employs
exploit protection modules (EPMs)
. Each EPM targets a specific type of exploit attack in the attack chain. Some capabilities that Cortex XDR EPMs provide are reconnaissance prevention, memory corruption prevention, code execution prevention, and kernel protection.

Malware Protection Overview

Malicious files, known as malware, are often disguised as or embedded in non-malicious files. These files can attempt to gain control, gather sensitive information, or disrupt the normal operations of the system. Cortex XDR prevents malware by employing the Malware Prevention Engine. This approach combines several layers of protection to prevent both known and unknown malware that has not been seen before from causing harm to your endpoints. The mitigation techniques that the Malware Prevention Engine employs vary by the endpoint type:

Malware Protection for Windows

  • WildFire integration
    —Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence.
  • Local static analysis
    —Enables Cortex XDR to use machine learning to analyze unknown files and issue a verdict. Cortex XDR uses the verdict returned by the local analysis module until it receives a verdict from Cortex XDR.
  • DLL file protection
    —Enables Cortex XDR to block known and unknown DLLs on Windows endpoints.
  • Office file protection
    —Enables Cortex XDR to block known and unknown macros when run from Microsoft Office files on Windows endpoints.
  • PDF file protection
    —Enables Cortex XDR to block known and unknown PDFs when run on Windows endpoints.
  • Behavioral threat protection
    (
    Windows 7 SP1 and later versions
    )—Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as
    causality chains
    . This enables Cortex XDR to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.0 or a later release.
  • Evaluation of trusted signers
    —Permits unknown files that are signed by highly trusted signers to run on the endpoint.
  • Malware protection modules
    —Targets behaviors—such as those associated with ransomware—and enables you to block the creation of child processes.
  • Policy-based restrictions
    —Enables you to block files from executing from within specific local folders, network folders, or external media locations.
  • Periodic and automated scanning
    —Enables you to block dormant malware that has not yet tried to execute on endpoints.

Malware Protection for Mac

  • WildFire integration
    —Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence.
  • Local static analysis
    —Enables Cortex XDR to use machine learning to analyze unknown files and issue a verdict. The Cortex XDR agent uses the verdict returned by the local analysis module until it receives the WildFire verdict from Cortex XDR.
  • Behavioral threat protection
    —Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as
    causality chains
    . This enables the Cortex XDR agent to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.1 or a later release.
  • Mach-O file protection
    —Enables you to block known malicious and unknown mach-o files on Mac endpoints.
  • DMG file protection
    —Enables you to block known malicious and unknown DMG files on Mac endpoints.
  • Evaluation of trusted signers
    —Permits unknown files that are signed by trusted signers to run on the endpoint.
  • Periodic and automated scanning
    —Enables you to block dormant malware that has not yet tried to execute on endpoints. Scanning requires Cortex XDR agent 7.1 or a later release.

Malware Protection for Linux

  • WildFire integration
    —Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence. WildFire integration requires Traps agent 6.0 or a later release.
  • Local static analysis
    —Enables the Cortex XDR agent to use machine learning to analyze unknown files and issue a verdict. The Cortex XDR agent uses the verdict returned by the local analysis module until it receives the WildFire verdict from Cortex XDR. Local analysis requires Traps agent 6.0 or a later release.
  • Behavioral threat protection
    —Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as
    causality chains
    . This enables Cortex XDR to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.1 or a later release.
  • ELF file protection
    —Enables you to block known malicious and unknown ELF files executed on a host server or within a container on a Cortex XDR-protected endpoint. Cortex XDR automatically suspends the file execution until a WildFire or local analysis verdict is obtained. ELF file protection requires Traps agent 6.0 or a later release.
  • Malware protection modules
    —Targets the execution behavior of a file—such as those associated with reverse shell protection.

Malware Protection for Android

  • WildFire integration
    —Enables automatic detection of known malware and grayware, and analysis of unknown APK files using WildFire threat intelligence.
  • APK files examination
    —Analyze and prevent malicious APK files from running.
  • Evaluation of trusted signers
    —Permits unknown files that are signed by trusted signers to run on the Android device.

Recommended For You