https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/portableapps-block-all/m-p/569255#M5693 <P><SPAN>Hello, I would like to know if anyone has ever blocked portable applications...</SPAN></P> <P><SPAN> We would like to block PortableApps (PortableApps.com)... without blocking them one by one, as there are many. Has anyone ever blocked them using a wildcard in the process name? I know it's not entirely secure to block solely based on the process name, but it would be helpful...</SPAN></P> <P>&nbsp;</P> <DIV class="flex-1 overflow-hidden"> <DIV class="react-scroll-to-bottom--css-tumpv-79elbk h-full"> <DIV class="react-scroll-to-bottom--css-tumpv-1n7m0yu"> <DIV class="flex flex-col pb-9 text-sm"> <DIV class="w-full text-token-text-primary" data-testid="conversation-turn-16"> <DIV class="px-4 py-2 justify-center text-base md:gap-6 m-auto"> <DIV class="flex flex-1 text-base mx-auto gap-3 md:px-5 lg:px-1 xl:px-5 md:max-w-3xl lg:max-w-[40rem] xl:max-w-[48rem] } group final-completion"> <DIV class="relative flex w-full flex-col lg:w-[calc(100%-115px)] agent-turn"> <DIV class="flex-col gap-1 md:gap-3"> <DIV class="flex flex-grow flex-col max-w-full"> <DIV class="min-h-[20px] text-message flex flex-col items-start gap-3 whitespace-pre-wrap break-words [.text-message+&amp;]:mt-5 overflow-x-auto" data-message-author-role="assistant" data-message-id="cc814da3-997b-4586-b1f0-43aee9f88ab2"> <DIV class="markdown prose w-full break-words dark:prose-invert dark"> <P>Does anyone have any ideas or suggestions?</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Mon, 11 Dec 2023 11:49:34 GMT tlmarques 2023-12-11T11:49:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/portableapps-block-all/m-p/569255#M5693 <P><SPAN>Hello, I would like to know if anyone has ever blocked portable applications...</SPAN></P> <P><SPAN> We would like to block PortableApps (PortableApps.com)... without blocking them one by one, as there are many. Has anyone ever blocked them using a wildcard in the process name? I know it's not entirely secure to block solely based on the process name, but it would be helpful...</SPAN></P> <P>&nbsp;</P> <DIV class="flex-1 overflow-hidden"> <DIV class="react-scroll-to-bottom--css-tumpv-79elbk h-full"> <DIV class="react-scroll-to-bottom--css-tumpv-1n7m0yu"> <DIV class="flex flex-col pb-9 text-sm"> <DIV class="w-full text-token-text-primary" data-testid="conversation-turn-16"> <DIV class="px-4 py-2 justify-center text-base md:gap-6 m-auto"> <DIV class="flex flex-1 text-base mx-auto gap-3 md:px-5 lg:px-1 xl:px-5 md:max-w-3xl lg:max-w-[40rem] xl:max-w-[48rem] } group final-completion"> <DIV class="relative flex w-full flex-col lg:w-[calc(100%-115px)] agent-turn"> <DIV class="flex-col gap-1 md:gap-3"> <DIV class="flex flex-grow flex-col max-w-full"> <DIV class="min-h-[20px] text-message flex flex-col items-start gap-3 whitespace-pre-wrap break-words [.text-message+&amp;]:mt-5 overflow-x-auto" data-message-author-role="assistant" data-message-id="cc814da3-997b-4586-b1f0-43aee9f88ab2"> <DIV class="markdown prose w-full break-words dark:prose-invert dark"> <P>Does anyone have any ideas or suggestions?</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Mon, 11 Dec 2023 11:49:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/portableapps-block-all/m-p/569255#M5693 tlmarques 2023-12-11T11:49:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/portableapps-block-all/m-p/569295#M5696 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>I did some reasearch, and all the executable files are signed by "Rare Ideas, LLC", it means that you can create a custom BIOC rule to clock this signer.</P> <P>&nbsp;</P> <P>I have created this test, and it worked:</P> <P>&nbsp;</P> <UL> <LI>Created a new custom BIOC rule in Detection Rules - BIOC</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1702308462689.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55810i7302176FAE09F3B7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jmazzeo_0-1702308462689.png" alt="jmazzeo_0-1702308462689.png" /></span></P> <UL> <LI>With right click I have assigned the rule to a restrictions profile.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_1-1702308508528.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55811i3AA7B3B1DE5A53D8/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jmazzeo_1-1702308508528.png" alt="jmazzeo_1-1702308508528.png" /></span></P> <UL> <LI>I have enabled the "Custom Prevention Rules" action in the assigned Restrictions Profile, and the rule appears there.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_2-1702308558982.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55812iEEC630A8350A69F5/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jmazzeo_2-1702308558982.png" alt="jmazzeo_2-1702308558982.png" /></span></P> <UL> <LI>The downloaded Notepad++ is blocked in execution. This also can work in the extraction point, the exe uses the same signature name.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_3-1702308673984.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55813i80659D1F6D288E01/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jmazzeo_3-1702308673984.png" alt="jmazzeo_3-1702308673984.png" /></span></P> <P>&nbsp;</P> <P>If this works for you, mark this post as the solution. Thanks!</P> Mon, 11 Dec 2023 15:32:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/portableapps-block-all/m-p/569295#M5696 jmazzeo 2023-12-11T15:32:05Z