topic Re: Allowing child process from parent process in Cortex XDR in Cortex XDR Discussions

Allowing child process from parent process in Cortex XDR

oburgos — Wed, 05 Aug 2020 15:43:36 GMT

Hello,

Is there a way to allow a legitimate parent process to create a legitimate child process on Cortex XDR that is being blocked due to "Suspicious Process Creation"? In my case, I whitelisted the child process but the block continues. I do not want to whitelist the parent process as this may allow malware into our environment someday.

I remember version 4.1 of Traps allowing this under Child Process Protection (I think was the name). For example "ParentProcess.exe ->spawns-> ChildProcess.exe : Allow". I looked into the exception profile, but it only allows me to create an exception for just one specific process.

If anyone has an idea of if/how to accomplish this with Cortex XDR, please let me know! Thank you, stay safe.

Re: Allowing child process from parent process in Cortex XDR

ajrechk — Wed, 05 Aug 2020 22:38:15 GMT

Hi, I believe this may be what you are looking for:

Under Endpoints go to Policy Management
Then select Profiles on the left under the Prevention heading
Find your active Malware profile and right-click and Edit
Scroll down to Malicious Child Process Protection

You will then find a whitelist option to do a combo of the parent and child process along with any specific parameters

Re: Allowing child process from parent process in Cortex XDR

JahidAliyev — Thu, 22 Feb 2024 11:10:58 GMT

Heloo @ajrechk
According to:

Application information:
Application name: Windows Explorer
Application version: 10.0.22621.3007
Application publisher: Microsoft Corporation
Process ID: 20676
Application location: C:\Windows\explorer.exe
Command line: C:\WINDOWS\Explorer.EXE
File origin: Hard drive on this computer

Target application information:
Application name: Java(TM) Platform SE binary
Application version: 21.0.2.0
Application publisher: Oracle Corporation
Process ID: 2432
Application location: C:\Program Files\Java\jdk-21\bin\javaw.exe
Command line: "C:\Program Files\Java\jdk-21\bin\javaw.exe" -jar "C:\Users\ayxanp\AppData\Local\Temp\961644af-8259-4735-a751-8b545a44ed02_apache-jmeter-5.6.3.tgz.d02\apache-jmeter-5.6.3\bin\ApacheJMeter.jar"
File origin: Hard drive on this computer

Prevention information:
Prevention date: Thursday, February 22, 2024
Prevention time: 11:30:43
OS version: 10.0.22631.2.0.0.256.1
Component: Child Process Protection
Status code: 80400057
Prevention description: Suspicious process creation detected
Additional information 1: explorer.exe
Additional information 2: C:\Program Files\Java\jdk-21\bin\javaw.exe
Additional information 3: -jar "C:\Users\ayxanp\AppData\Local\Temp\961644af-8259-4735-a751-8b545a44ed02_apache-jmeter-5.6.3.tgz.d02\apache-jmeter-5.6.3\bin\ApacheJMeter.jar"
Additional information 4: ChildProcessPattern: *\javaw.exe, Flag: D, CommandLineRegex: ((?i)([-/]jar\s+\"?((\Q%temp%\E)|(\Q%templong%\E)|(\Q%SystemDrive%\E\\Users\\.*\\temp)|(\Q%SystemDrive%\E\\docume.*\\temp))\\.*))

What should I write to these fields:
I need to create legacy agent exception for that. When I go to this page, I choose "Malware > Malicious Child Process Protection" as module and it requires me to fill three things which are:
1. Parent Process Name
2. Child Process Name
3. Child Process Command Line Params

Re: Allowing child process from parent process in Cortex XDR

MadhuriN — Tue, 07 May 2024 14:31:42 GMT

Hi, I am also looking for inputs on same situation. Did you already receive any response for above query ?

Re: Allowing child process from parent process in Cortex XDR

Vijisaga — Tue, 18 Jun 2024 11:42:28 GMT

Hi @JahidAliyev ,

Did you receive any update on the issue, I'm also facing the same issue.