topic prevent exe application to install in a system via cortex xdr agent in Cortex XDR Discussions

prevent exe application to install in a system via cortex xdr agent

OsamaKhan — Wed, 02 Sep 2020 09:23:56 GMT

Hi,

Can we prevent any .exe for e.g. anydesk application for installation in a system if the cortex XDR agent is installed, if it does how to configure it?

Re: prevent exe application to install in a system via cortex xdr agent

DKasabji — Sun, 13 Sep 2020 17:46:17 GMT

I see two ways of accomplishing this.

1. You can configure your restriction policy by specifying something like *\<name_of_file> in the Executable Files section -> Files / Folders in Block List.

2. You can create a BIOC Rule that targets that process and apply it to Restriction policy:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule.html

Best,

Re: prevent exe application to install in a system via cortex xdr agent

Retired Member — Tue, 15 Sep 2020 14:52:23 GMT

I was hoping to do this with Cortex-XDR Prevent by blocking programs from running from the user profile, but the hashes change too often. I was hoping we could block everything from running and then allow some signed applications to run from the user profile. I have had AppLocker on the list for some time to learn about.

Re: prevent exe application to install in a system via cortex xdr agent

DKasabji — Tue, 15 Sep 2020 15:15:23 GMT

For what you just described, I indeed would favor AppLocked approach, since it is designed to perform this.

I am not sure about specifics of XDR Prevent, probably does not have all the capabilities that Pro Per Endpoint or Pro Per TB editions, but don't you have in your XDR Interface the option to configure 'Restrictions Profile'? It is in Endpoints -> Policy Management -> Profiles. You locate the Restrictions profile and Edit it.

There you will find Executable Files paragraph where it asks you to input Files / FOLDERS in BLOCK LIST or in ALLOW LIST. So perhaps you could leverage this to specify that any executable within %USERPROFILE% is on BLOCK LIST.

Is that not possible in XDR Prevent?

Best,

Re: prevent exe application to install in a system via cortex xdr agent

DKasabji — Tue, 15 Sep 2020 15:19:39 GMT

Forgot to add before:
I think the Block-listing approach is probably not the best, because I haven't tested the combination of Blocking everything in a specified folder, but then allowing a specific .EXE to run in that same folder. Not sure what takes precedence: does XDR first check the allowed list and then moves on to check the block list or vice versa.

However, maybe you could configure it in a Allow-list approach by defining a Folder where you would allow the executables to run and everything else is blocked. But probably that is a bit to cumbersome to manage for end-users. Or even specific Files, which is (I think) similar to AppLocker approach.

Re: prevent exe application to install in a system via cortex xdr agent

Retired Member — Tue, 15 Sep 2020 21:24:38 GMT

Yes, Cortex XDR Prevent's Restrictions profile works as you described -- I tested the setup last week. The issue is that it is a maintenance nightmare...it was not really designed with this in mind. You can stop all .EXE files from running from the user profile, but to allow some to run is based on the filename/hash. AppLocker should allow me to setup things so that .EXE files signed by GotoMeeting are allowed, but not others. Oh, and Microsoft keeps stuffing Office 365 stuff under the user profile like Teams, OneDrive, etc.

Re: prevent exe application to install in a system via cortex xdr agent

DKasabji — Wed, 16 Sep 2020 06:25:19 GMT

@Retired Member Hm. Then the last thing that comes to mind is to create a Prevention BIOC rule which you can apply to Restriction Profile.

You'd create a BIOC something like:
Process name: *.exe

Path: %USERPROFILE% (and any other path you want to prevent EXEs to not run)

Signature: SIGNED

Signer: NOT 'GoToMeetings' (etc.)

Then you set it in Restriction Profile as the Prevention Rule. This means that everytime an EXE process will execute that is in %USERPROFILE% and it is NOT signed by GoToMettings --> block the execution.

Maybe this could help you. But if you already decided on AppLocker, then never mind.

Best,

Re: prevent exe application to install in a system via cortex xdr agent

DKasabji — Wed, 16 Sep 2020 06:27:00 GMT

OH crap! I forgot. The 'Prevent' license probably does not have the option to create BIOCs? Have no experience with Prevent license type, my bad.

Re: prevent exe application to install in a system via cortex xdr agent

Retired Member — Thu, 17 Sep 2020 19:45:01 GMT

I appreciate the info - Pro was way outside of our budget. I thought for a moment I had overlooked something (and the Palo Alto person who helped with the PoC didn't share this) so it nice to get confirmation I should not see the BIOC options on the web console.

Re: prevent exe application to install in a system via cortex xdr agent

JosephNil — Thu, 24 Sep 2020 11:48:36 GMT

Thanks for the update and quick reply. I'll be sure to keep an eye on this thread dqfansurvey.