https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584494#M6553 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp;</P> <P>&nbsp;</P> <P>When one reads the name of the module, normally comes to mind every kind of file writing events, not only the executables or scripts. Couldn't find the exact info about it in the docus. Do you have a link to the source of this info, where perhaps I can get more&nbsp; also on other modules?&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advence.</P> Mon, 22 Apr 2024 13:51:16 GMT AbdBgc 2024-04-22T13:51:16Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/583820#M6513 <P>Hi everyone,&nbsp;</P> <P>Just wondering how's the performance or resource is impacted when this protection is on, i bet it would have certain impact as this is "Disabled" by default. or any other concerns if ON?</P> <P>Any experience to share?</P> <P>thanks&nbsp;</P> Tue, 16 Apr 2024 04:39:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/583820#M6513 SeanDeHarris 2024-04-16T04:39:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584058#M6527 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184443">@SeanDeHarris</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>The on-write protection should not generate too much impact on the endpoints, because this module only starts a scan when the written file is an executable or a script. The <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/File-Analysis-and-Protection-Flow" target="_self">scan workflow</A> is the same when a file is executed, first it will ask to Wildfire about the reputation, and if the reputation is good, no other scan will be executed.</P> <P>If you want to test if first, I'll recommend you to create a <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Set-up-malware-security-profiles" target="_self">new malware profile</A>, enable this feature, and assign it to a group of endpoints to monitor the performance behavior.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Wed, 17 Apr 2024 15:35:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584058#M6527 jmazzeo 2024-04-17T15:35:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584494#M6553 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp;</P> <P>&nbsp;</P> <P>When one reads the name of the module, normally comes to mind every kind of file writing events, not only the executables or scripts. Couldn't find the exact info about it in the docus. Do you have a link to the source of this info, where perhaps I can get more&nbsp; also on other modules?&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advence.</P> Mon, 22 Apr 2024 13:51:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584494#M6553 AbdBgc 2024-04-22T13:51:16Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584673#M6570 <P>This is what we can share about the On-Write file protection file types and some other useful information:</P> <P>&nbsp;</P> <P>- File types: DLL, PE&nbsp; and Macro</P> <P>- Exceptions: add affected path to the blocking module.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Mon, 30 Dec 2024 20:46:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584673#M6570 jmazzeo 2024-12-30T20:46:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584731#M6577 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp;, this is helpful.<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> <P>&nbsp;</P> <P>As far as I see, even as admin I have only the option to turn it on or off, Enabled/Disabled, in Malware Prevention Profile from the Console. So, no option to use this protection type in monitoring only mode (no "Report" only option)<SPAN>, </SPAN><STRONG style="font-family: inherit;">if enabled</STRONG><SPAN> it will detect and </SPAN><STRONG style="font-family: inherit;">prevent in any case.</STRONG><SPAN> Is that correct?</SPAN></P> Wed, 24 Apr 2024 05:56:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584731#M6577 AbdBgc 2024-04-24T05:56:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584783#M6582 <P>That toggle is to enable the ability to send the written files to analysis. The actions are made by the usual modules as is mentioned in the last bullet on the screenshot.</P> Wed, 24 Apr 2024 12:42:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-protection-is-disabled-by-default/m-p/584783#M6582 jmazzeo 2024-04-24T12:42:58Z