Targets encryption-based activity associated with ransomware and has the ability to analyze and halt ransomware activity before any data loss occurs.

Prevents attacks that change the execution order of a process by redirecting an asynchronous procedure call (APC) to point to the malicious shellcode.

Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains.

Prevents attackers from hijacking the process control flow by monitoring memory layout enumeration attempts.

Prevents script-based attacks that are used to deliver malware, such as ransomware, by blocking known targeted processes from launching child processes that are commonly used to bypass traditional security approaches.

Protects against vulnerabilities related to the display routine for Windows Control Panel Library (CPL) shortcut images, which can be used as a malware infection vector.

Prevents areas of memory defined to contain only data from running executable code.

Prevents DLL-hijacking attacks where the attacker attempts to load dynamic-link libraries on Windows operating systems from unsecure locations to gain control of a process.

Prevents access to crucial DLL metadata from untrusted code locations.

Prevents Dylib-hijacking attacks where the attacker attempts to load dynamic libraries on Mac operating systems from unsecure locations to gain control of a process.

Protects against the fingerprinting technique used by browser exploit kits to identify information—such as the OS or applications which run on an endpoint—that attackers can leverage when launching an attack to evade protection capabilities.

Prevents improper font handling, a common target of exploits.

Enhances the macOS gatekeeper functionality that allows apps to run based on their digital signature. This module provides an additional layer of protection by extending gatekeeper functionality to bundles and child processes so you can enforce the signature level of your choice.

Halts execution of files that an administrator identified as malware regardless of the WildFire verdict.

Prevents the use of system functions to bypass DEP and address space layout randomization (ASLR).

Blocks attempts to execute malicious code during the Java objects deserialization process on Java-based servers.

Prevents an attacker from bypassing the operating system's memory mitigations using just-in-time (JIT) compilation engines.

Prevents rootkit and vulnerability exploitation on Linux endpoints. On the first detection of suspicious rootkit behavior, the behavioral threat protection (BTP) module generates an XDR Agent alert. Cortex XDR stitches logs about the process that loaded the kernel module with other logs relating to the kernel module to aid in alert investigation. When the Cortex XDR agent detects subsequent rootkit behavior, it blocks the activity.

Examines hundreds of characteristics of an unknown executable file, DLL, or macro to determine if it is likely to be malware. The local analysis module uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed using machine learning on WildFire threat intelligence.

Protects against malicious PHP files arriving from the web server.

Prevents attackers from performing malicious activities that require privileges that are higher than those assigned to the attacked or malicious process.

Analyze network packet data to detect malicious behavior already at the network level. The engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Research Team which are updated through the security content.

—

—

Prevents malicious code from mapping to address zero in the memory space, making null dereference vulnerabilities unexploitable.

Prevents unauthorized execution from a local path.

Prevents unauthorized execution from a network path.

Prevents unauthorized execution from removable media.

Blocks malicious activity where an attacker redirects standard input and output streams to network sockets.

Protects against the use of return-oriented programming (ROP) by protecting APIs used in ROP chains.

Prevents hijacking of the structured exception handler (SEH), a commonly exploited control structure that can contain multiple SEH blocks that form a linked list chain, which contains a sequence of function records.

Reserves and protects certain areas of memory commonly used to house payloads using heap spray techniques.

Prevents shell-link logical vulnerabilities.

Prevents dynamic loading of libraries from unsecure locations to gain control of a process.

Prevents using system calls to bypass other protection capabilities.

Improves or altogether implements ASLR (address space layout randomization) with greater entropy, robustness, and strict enforcement.

Detect attempts to load vulnerable drivers.

Leverages WildFire for threat intelligence to determine whether a file is malware. In the case of unknown files, Cortex XDR can forward samples to WildFire for in-depth analysis.