Create an Exploit Protection Rule
An exploit protection rule uses exploit protection modules (EPMs) to protect processes in your organization from specific exploitation techniques. Each module prevents attempts to exploit program vulnerabilities related to memory corruption and software logic flaws and protects against a specific attack method, such as DLL hijacking or heap corruption. If a process is vulnerable to a specific type of attack, you can activate an EPM to protect it. Although Traps protects common processes automatically, you can tailor your exploit protection policy to meet the needs of your organization.
For each exploit protection rule you add, configure EPM-specific settings and choose the process or processes to which the rule applies. You can apply the rule to a single process, multiple processes, or all processes. Additional settings typically include EPM activation, Traps behavior, and user notification.
As with other types of rules, you can reduce the scope of an exploit protection rule by specifying Target Objects and Conditions that must be satisfied for the rule to apply. A target object can be any user, group, organizational unit, or computer that appears in Active Directory or any existing endpoint on which the Traps agent is installed. A condition can refer to a specific file, the specific version or range of versions for a file, or a registry path that must exist on the endpoint.
Additional EPMs and fine-grained settings are hidden and are accessible only in ninja mode . To configure these EPMs and settings, you must enter an administrative password.
Configuring exploit protection rules is an advanced feature. To change or override an exploit protection rule, consult with the Palo Alto Networks support team.
- Configure a new exploit protection rule.Select PoliciesExploitProtection Modules.
- Select the operating system for which you want to configure the rule.
- From the action menu , Add a new rule.
- Configure EPM injection.By default, EPM injection is enabled. To disable all exploit protection of the protected processes on your system, select the option at the bottom of the list of EPMs to Disable All EPM Injection.
- Configure the settings for the EPM module.
- Select the EPM from the list and configure its settings in the Details section. The settings for each type of EPM are different but can include preferences on whether or not to terminate a process and notify a user about a security event.
- Repeat the process to add and configure additional
EPMs. For more information on the different types of EPMs, see Exploit
Protection Rules.Changing EPM definitions changes the order in which rules are evaluated and can affect your protection level (see Policy Enforcement). To avoid compromising your organizational security, consult with Palo Alto Networks Support.
- Select the processes for which you want to apply the
rule.Before configuring an exploit protection rule on a new process, you must define the process and the protection type on the PoliciesExploitProcess Management page. To add a new process, see Add a New Protected Process. To change the protection type of a process, for example from Unknown to Protected, see View, Modify, or Delete a Process.
- Select the Processes tab.
- Narrow the list of processes by selecting the process type from the drop-down, either Protected or Provisional. Provisional processes are processes that are undergoing a test run and are monitored separately from protected processes. For a list of processes that are protected by the default security policy, see the release notes for your associated content update version.
- Select one or more processes to which to apply the rule, and then click Add. Or, to apply the rule to all protected or provisional processes, select All Processes.
Add Conditions to
the rule. By default, a new rule does not contain any conditions.To specify a condition, select the Conditions tab, select the condition in the Conditions list, and then Add it to the Selected Conditions list. Repeat this step to add more conditions, as needed. You can also define new Conditions.
Define the Target
Objects to which to apply the rule.To define a smaller subset of target objects, select the Objects tab, and then enter one or more AD Users, AD Computers, AD Groups, AD Organizational Unit, Existing Endpoints, or Existing Groups in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units. The ESM Console also offers autocompletion as you type for existing endpoints and existing virtual groups.
Review the rule name and description. The ESM Console automatically
generates the rule name and description based on the rule details
but permits you to change these fields, if needed.To override the autogenerated name, select the Name tab, clear the Activate automatic description option, and then enter a rule name and description of your choice.
- Save the exploit protection rule.Do either of the following:
After saving or applying a rule, you can return to the Protection Modules page at any time to Delete or Deactivate the rule.
- Save the rule without activating it. This option is only available for inactive, cloned, or new rules. When you are ready to activate the rule, select the rule from the PoliciesExploitProtection Modules page and then click Activate.
- Apply the rule to activate it immediately.
Collect New Process Information
Collect New Process Information By default, Traps protects the most commonly used and well-known processes on your endpoints. In addition, when WildFire is enabled, Traps ...
Add a New Protected Process
Add a New Protected Process A process is an active instance of a program that is executed by the operating system. You can view all ...
Exploit Protection Rules
Exploit Protection Rules An exploit protection rule uses exploit protection modules (EPMs) to protect processes in your organization from specific exploitation techniques. An EPM is ...
Configure the Gatekeeper Enhancement MPM
Configure the Gatekeeper Enhancement MPM The Gatekeeper Enhancement MPM is an enhancement of the macOS gatekeeper functionality which allows apps to run based on their ...
Exclude an Endpoint from an Exploit Protection Rule
Exclude an Endpoint from an Exploit Protection Rule When an endpoint attempts to launch an application that violates an exploit protection policy, the Traps agent ...
Configure Anti-Ransomware Protection
Configure Anti-Ransomware Protection The Anti-Ransomware Protection MPM provides additional protection against ransomware. The module targets encryption-based activity associated with ransomware with the ability to analyze ...
Create a Custom User Alert Message
Create a Custom User Alert Message Traps displays prevention and notification messages when a file or process violates a security policy and the termination behavior ...
Configure Child Process Protection
Configure Child Process Protection The Child Process Protection MPM for Windows endpoints prevents script-based attacks used to deliver malware such as ransomware. To prevent these ...
Define Forensics Collection Preferences
Define Forensics Collection Preferences To help you better understand and derive implications about the true nature of a security event when it occurs on an ...