Create an Exploit Protection Rule

An exploit protection rule uses exploit protection modules (EPMs) to protect processes in your organization from specific exploitation techniques. Each module prevents attempts to exploit program vulnerabilities related to memory corruption and software logic flaws and protects against a specific attack method, such as DLL hijacking or heap corruption. If a process is vulnerable to a specific type of attack, you can activate an EPM to protect it. Although Traps protects common processes automatically, you can tailor your exploit protection policy to meet the needs of your organization.

For each exploit protection rule you add, configure EPM-specific settings and choose the process or processes to which the rule applies. You can apply the rule to a single process, multiple processes, or all processes. Additional settings typically include EPM activation, Traps behavior, and user notification.

As with other types of rules, you can reduce the scope of an exploit protection rule by specifying Target Objects and Conditions that must be satisfied for the rule to apply. A target object can be any user, group, organizational unit, or computer that appears in Active Directory or any existing endpoint on which the Traps agent is installed. A condition can refer to a specific file, the specific version or range of versions for a file, or a registry path that must exist on the endpoint.

Additional EPMs and fine-grained settings are hidden and are accessible only in ninja mode

. To configure these EPMs and settings, you must enter an administrative password.

Configuring exploit protection rules is an advanced feature. To change or override an exploit protection rule, consult with the Palo Alto Networks support team.

1. Configure a new exploit protection rule.
   Select PoliciesExploitProtection Modules.
2. Select the operating system for which you want to configure the rule.
3. From the action menu
   , Add a new rule.
4. Configure EPM injection.
   By default, EPM injection is enabled. To disable all exploit protection of the protected processes on your system, select the option at the bottom of the list of EPMs to Disable All EPM Injection.
5. Configure the settings for the EPM module.
   1. Select the EPM from the list and configure its settings in the Details section. The settings for each type of EPM are different but can include preferences on whether or not to terminate a process and notify a user about a security event.
   2. Repeat the process to add and configure additional EPMs. For more information on the different types of EPMs, see Exploit Protection Rules.
      Changing EPM definitions changes the order in which rules are evaluated and can affect your protection level (see Policy Enforcement). To avoid compromising your organizational security, consult with Palo Alto Networks Support.
6. Select the processes for which you want to apply the rule.
   Before configuring an exploit protection rule on a new process, you must define the process and the protection type on the PoliciesExploitProcess Management page. To add a new process, see Add a New Protected Process. To change the protection type of a process, for example from Unknown to Protected, see View, Modify, or Delete a Process.
   1. Select the Processes tab.
   2. Narrow the list of processes by selecting the process type from the drop-down, either Protected or Provisional. Provisional processes are processes that are undergoing a test run and are monitored separately from protected processes. For a list of processes that are protected by the default security policy, see the release notes for your associated content update version.
   3. Select one or more processes to which to apply the rule, and then click Add. Or, to apply the rule to all protected or provisional processes, select All Processes.
7. (Optional) Add Conditions to the rule. By default, a new rule does not contain any conditions.
   To specify a condition, select the Conditions tab, select the condition in the Conditions list, and then Add it to the Selected Conditions list. Repeat this step to add more conditions, as needed. You can also define new Conditions.
8. (Optional) Define the Target Objects to which to apply the rule.
   To define a smaller subset of target objects, select the Objects tab, and then enter one or more AD Users, AD Computers, AD Groups, AD Organizational Unit, Existing Endpoints, or Existing Groups in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units. The ESM Console also offers autocompletion as you type for existing endpoints and existing virtual groups.
9. (Optional) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.
   To override the autogenerated name, select the Name tab, clear the Activate automatic description option, and then enter a rule name and description of your choice.
10. Save the exploit protection rule.
    Do either of the following:

    • Save the rule without activating it. This option is only available for inactive, cloned, or new rules. When you are ready to activate the rule, select the rule from the PoliciesExploitProtection Modules page and then click Activate.
    • Apply the rule to activate it immediately.

    After saving or applying a rule, you can return to the Protection Modules page at any time to Delete or Deactivate the rule.