https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/looking-for-some-advice-on-java-deserialization-protection-and/m-p/530263#M3586 <P>Hello,<BR />I need some advice regarding the "Known Vulnerable Processes Protection" for Linux. <BR />This protection seems to prevent the jetbrains IDE IntelliJ IDEA (version 2023.3 build 223.7571.182) from running because of the Java Deserialisation Protection module (regarding log4j <A href="https://blog.jetbrains.com/platform/2022/02/removing-log4j-from-the-intellij-platform/" target="_blank">https://blog.jetbrains.com/platform/2022/02/removing-log4j-from-the-intellij-platform/</A> ).</P> <P>What is the best way to get this IDE to run while maintaining the protection?<BR /><BR /></P> <P>Thanks in advance.</P> <P>Decio</P> Wed, 08 Feb 2023 08:14:21 GMT Decio_VD 2023-02-08T08:14:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/looking-for-some-advice-on-java-deserialization-protection-and/m-p/530263#M3586 <P>Hello,<BR />I need some advice regarding the "Known Vulnerable Processes Protection" for Linux. <BR />This protection seems to prevent the jetbrains IDE IntelliJ IDEA (version 2023.3 build 223.7571.182) from running because of the Java Deserialisation Protection module (regarding log4j <A href="https://blog.jetbrains.com/platform/2022/02/removing-log4j-from-the-intellij-platform/" target="_blank">https://blog.jetbrains.com/platform/2022/02/removing-log4j-from-the-intellij-platform/</A> ).</P> <P>What is the best way to get this IDE to run while maintaining the protection?<BR /><BR /></P> <P>Thanks in advance.</P> <P>Decio</P> Wed, 08 Feb 2023 08:14:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/looking-for-some-advice-on-java-deserialization-protection-and/m-p/530263#M3586 Decio_VD 2023-02-08T08:14:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/looking-for-some-advice-on-java-deserialization-protection-and/m-p/530318#M3587 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/257761">@Decio_VD</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>&nbsp;</P> <P>If you have a prevention alert from Java Deserialisation protection module , you can create alert exceptions for the same. Creating alert exceptions disables the Java deserialisation protection module for the initiator process and should allow you to run the application.</P> <P>&nbsp;</P> <P>However, this is not just the end of it. Once created, we recommend you to right click on the alert and retrieve alert dump data file and open a case with our support team describing the situation well. The TAC/engineering will analyse the logs and can do&nbsp; a detailed/granular level whitelist in form of a content update or provide you a support exception that will create more granularity for the same.&nbsp; Once the whitelist mechanism is provided, you can remove the exceptions and your should have the protection on the process while allowing the specific action for the application process.</P> <P>&nbsp;</P> <P><BR />Steps:&nbsp;</P> <OL> <LI>Create alert exceptions: Right click on alert&gt; Manage Alert&gt; create alert exception. You should get an option to create profile based(only for targetted endpoints) or global(for all the endpoints)</LI> <LI>Retrieve alert data: Right click on alert&gt; Retrieve Additional Data&gt; Retrieve Alert data. Navigate to action center and wait for the dump file to be loaded. Download the named dump file and open a support case for investigation.</LI> </OL> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it helps!</P> <P>&nbsp;</P> <P>Regards.</P> Wed, 08 Feb 2023 15:39:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/looking-for-some-advice-on-java-deserialization-protection-and/m-p/530318#M3587 neelrohit 2023-02-08T15:39:18Z