Endpoint Protection Modules
Each security profile applies multiple security modules to protect
your endpoints from a wide range of attack techniques. While the
settings for each module are not configurable, the Cortex XDR agent
activates a specific protection module depending on the type of
attack, the configuration of your security policy, and the operating
system of the endpoint. When a security event occurs, the Cortex
XDR agent logs details about the event including the security module
employed by the Cortex XDR agent to detect and prevent the attack
based on the technique. To help you understand the nature of the
attack, the alert identifies the protection module the Cortex XDR
agent employed.
The following table lists the modules and the platforms on which
they are supported. A dash (—) indicates the module is not supported.
Module | Windows | Mac | Linux | Android |
|---|---|---|---|---|
Anti-Ransomware Targets encryption-based
activity associated with ransomware and has the ability to analyze and
halt ransomware activity before any data loss occurs. |  | — | — | — |
APC Protection Prevents attacks that change the
execution order of a process by redirecting an asynchronous procedure
call (APC) to point to the malicious shellcode. | | — | — | — |
Behavioral Threat Prevents sophisticated attacks
that leverage built-in OS executables and common administration
utilities by continuously monitoring endpoint activity for malicious
causality chains. | |
| | — |
Brute Force Protection Prevents attackers from
hijacking the process control flow by monitoring memory layout enumeration attempts. | — | — | | — |
Child Process Protection Prevents
script-based attacks that are used to deliver malware, such as ransomware,
by blocking known targeted processes from launching child processes
that are commonly used to bypass traditional security approaches. | | — | — | — |
CPL Protection Protects against vulnerabilities
related to the display routine for Windows Control Panel Library
(CPL) shortcut images, which can be used as a malware infection
vector. | | — | — | — |
Data Execution Prevention (DEP) Prevents
areas of memory defined to contain only data from running executable
code. | | — | — | — |
DLL Hijacking Prevents DLL-hijacking attacks
where the attacker attempts to load dynamic-link libraries on Windows
operating systems from unsecure locations to gain control of a process. | | — | — | — |
DLL Security Prevents access to crucial
DLL metadata from untrusted code locations. | | — | — | — |
Dylib Hijacking Prevents Dylib-hijacking
attacks where the attacker attempts to load dynamic libraries on
Mac operating systems from unsecure locations to gain control of
a process. | — | | — | — |
Exploit Kit Fingerprint Protects against
the fingerprinting technique used by browser exploit kits to identify
information—such as the OS or applications which run on an endpoint—that attackers
can leverage when launching an attack to evade protection capabilities. | | — | — | — |
Font Protection Prevents improper
font handling, a common target of exploits. | | — | — | — |
Gatekeeper Enhancement Enhances the
macOS gatekeeper functionality that allows apps to run based on their
digital signature. This module provides an additional layer of protection by
extending gatekeeper functionality to child processes so you can
enforce the signature level of your choice. | — | | — | — |
Hash Exception Halts execution of
files that an administrator identified as malware regardless of
the WildFire verdict. | | | | |
Hot Patch Protection Prevents the
use of system functions to bypass DEP and address space layout randomization (ASLR). | | — | — | — |
Java Deserialization Blocks attempts
to execute malicious code during the Java objects deserialization
process on Java-based servers. | — | — | | — |
JIT Prevents an attacker from bypassing
the operating system's memory mitigations using just-in-time (JIT) compilation
engines. | | | — | — |
Kernel Integrity Monitor (KIM) Prevents
rootkit and vulnerability exploitation on Linux endpoints. On the
first detection of suspicious rootkit behavior, the behavioral threat
protection (BTP) module generates an XDR Agent alert. Cortex XDR stitches
logs about the process that loaded the kernel module with other
logs relating to the kernel module to aid in alert investigation. When
the Cortex XDR agent detects subsequent rootkit behavior, it blocks
the activity. | — | — | | — |
Local Analysis Examines hundreds of characteristics
of an unknown executable file, DLL, or macro to determine if it
is likely to be malware. The local analysis module uses a statistical
model that was developed using machine learning on WildFire threat intelligence. | | | | — |
Local Threat Evaluation Engine (LTEE) Protects
against malicious PHP files arriving from the web server. | — | — | | — |
Local Privilege Escalation Protection Prevents attackers from
performing malicious activities that require privileges that are
higher than those assigned to the attacked or malicious process. | | | | — |
Null Dereference Prevents malicious code
from mapping to address zero in the memory space, making null dereference
vulnerabilities unexploitable. | | — | — | — |
Restricted Execution - Local Path Prevents
unauthorized execution from a local path. | | — | — | — |
Restricted Execution - Network Location Prevents
unauthorized execution from a network path. | | — | — | — |
Restricted Execution - Removable Media Prevents
unauthorized execution from removable media. | | — | — | — |
Reverse Shell Protection Blocks malicious activity
where an attacker redirects standard input and output streams to
network sockets. | — | — | | — |
ROP Protects against the use of return-oriented programming
(ROP) by protecting APIs used in ROP chains. | | | | — |
SEH Prevents hijacking of the structured
exception handler (SEH), a commonly exploited control structure that
can contain multiple SEH blocks that form a linked list chain, which
contains a sequence of function records. | | — | — | — |
Shellcode Protection Reserves and
protects certain areas of memory commonly used to house payloads
using heap spray techniques. | — | — | | — |
ShellLink Prevents shell-link logical
vulnerabilities. | | — | — | — |
SO Hijacking Protection Prevents dynamic loading
of libraries from unsecure locations to gain control of a process. | — | — | | — |
SysExit Prevents using system calls
to bypass other protection capabilities. | | — | — | — |
UASLR Improves or altogether implements
ASLR (address space layout randomization) with greater entropy, robustness,
and strict enforcement. | | — | — | — |
WildFire Leverages WildFire
for threat intelligence to determine whether a file is malware.
In the case of unknown files, Cortex XDR can forward samples to WildFire
for in-depth analysis. | | | | |
WildFire Post-Detection (Malware and Grayware) Identifies
a file that was previously allowed to run on an endpoint that is
now determined to be malware. Post-detection events provide notifications
for each endpoint on which the file executed. | | | | |
