Add a New Protected Process
A process is an active instance of a program that is executed by the operating system. From the Windows Task Manager on Windows endpoints or the macOS Activity Monitor on Mac endpoints, you can view all active processes that are currently running including the names of core system processes. Many core system processes are protected by the operating system and cannot be renamed. Changing the name of these system process—for example, changing the name of the calc.exe process to calc1.exe—can cause the process to stop functioning. Because Traps identifies processes by name, changing the name of a process can also prevent Traps from applying protection rules to the new process name.
The ESM Console is preconfigured with a Default Protection Policy that protects the most vulnerable and most commonly used processes on Windows and Mac endpoints. You can protect additional uncommon, third-party, and proprietary processes by adding their names to the list of protected processes. Each rule in the exploit protection policy protects one or more processes from a specific type of exploit or vulnerability using exploit protection modules (EPMs). Depending on the configuration, Traps can activate the EPM in all processes or in specific process names. Adding a new process to the list of protected processes enables you to automatically protect the process-without any additional configuration-using any exploit protection rules that apply to all processes.
To ensure process protection continues, we recommend that you do not change the names of commonly used processes on the system. If a process name change is required, ensure that you add the renamed process as a protected process and mirror the protection rules for the old process name. As needed, you can also configure additional exploit protection rules to protect the process.
By extending protection to the applications that are important to your organization, you can provide maximum protection with minimal disruption of day-to-day activities. Add processes as either protected, provisional, or unprotected and configure them using the Process Management page.
You can configure only exploit protection rules on Protected or Provisional processes.
You cannot change the default Protected processes that are included in the initial setup. Consult the Palo Alto Networks support team for questions.
- Navigate to the Process Management page.From the ESM Console, select PoliciesExploitProcess Management.
- Select the operating system, either Windows or macOS.
- Add a new process.
- From the action menu , select Add.
- Enter the Process name.
- To actively protect the process using default and user-defined rules, set the Protection type to Protected. For additional options, see Process Protection Types.
- Save your changes to the process.Click Create.
- For each new protected process, configure an exploit
protection rule to activate the ROP Mitigation EPM in the process
and another exploit protection rule to activate the JIT Mitigation
EPM in the process. These exploit protection rules provide the best protection with the lowest false-positive rate.
- For each EPM, Create
an Exploit Protection Rule with the following settings:EPM:
Processes:Select the new protected process.Objects:To identify any unintended consequences of protecting the new process, select a small number of endpoints. If you have different environments within your organization (for example, different operating systems), we recommend that you select a few endpoints in each environment.
- User Alert—Off
- Apply the rule and then repeat the process for the second EPM.
- After a period in which no issues are caused by the
new rules, update and then apply the rule settings:EPM:
Objects:Expand the rule deployment: Add additional objects or remove all objects. In the case of the latter, if no objects are specified, the rule applies to all endpoints.
- User Alert—On
- For each EPM, Create an Exploit Protection Rule with the following settings:
Create an Exploit Protection Rule
Create an Exploit Protection Rule An exploit protection rule uses exploit protection modules (EPMs) to protect processes in your organization from specific exploitation techniques. Each ...
Exploit Protection Rules
Exploit Protection Rules An exploit protection rule uses exploit protection modules (EPMs) to protect processes in your organization from specific exploitation techniques. An EPM is ...
Process Protection Types
Process Protection Types The ESM Console categorizes each process by a Protection Type: Protected —Indicates that the process is actively protected by exploit protection rules ...
Exploit Protection Overview
Exploit Protection Overview An exploit is a sequence of commands that take advantage of a bug or vulnerability in a software application or process. Attackers ...
Collect New Process Information
Collect New Process Information By default, Traps protects the most commonly used and well-known processes on your endpoints. In addition, when WildFire is enabled, Traps ...
Maintain the Endpoints and Traps
Maintain the Endpoints and Traps On a daily or weekly basis, perform the following actions: Examine the Dashboard to verify that the Traps agent is ...
Configure the Gatekeeper Enhancement MPM
Configure the Gatekeeper Enhancement MPM The Gatekeeper Enhancement MPM is an enhancement of the macOS gatekeeper functionality which allows apps to run based on their ...
Process Management Process Protection Types Processes Protected by the Default Policy Add a New Protected Process Import or Export a Process View, Modify, or Delete ...
Configure Anti-Ransomware Protection
Configure Anti-Ransomware Protection The Anti-Ransomware Protection MPM provides additional protection against ransomware. The module targets encryption-based activity associated with ransomware with the ability to analyze ...