topic Re: Legacy agent exception and Disable prevention rule in Cortex XDR Discussions

Legacy agent exception and Disable prevention rule

DannyMulheran — Thu, 09 May 2024 04:51:49 GMT

What is the difference between Legacy agent exception and Disable prevention rules?

This was asked in another discussion but the answer does not resolve the question asked (https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-and-exclusion-tips-amp-trick-best-practices/td-p/569675 )

Thanks

Danny

Re: Legacy agent exception and Disable prevention rule

jmazzeo — Thu, 09 May 2024 12:08:02 GMT

Hi @DannyMulheran, thanks for reaching us using the Live Community.

The Disable Prevention Rules applies to agents only from version 7.9 and above.

The Legacy Agent Exceptions also applies to older agent versions.

If this post answers your question, please mark it as the solution.

Re: Legacy agent exception and Disable prevention rule

Fm12345 — Thu, 09 May 2024 17:04:04 GMT

Disable prevention rules are more granular compared to legacy agent exceptions.

Legacy agent exceptions Target the hole module like pe dll examination where as disable prevention rules would Target specific protections within that..like we can do wildfire detection, wildfire post detection, local analysis etc..

Disable prevention rules generate an alert even after allowing the activities where as legacy agent exceptions mostly don't generate alerts and allow a process to run.(E.g global behavior protection based legacy exception or credential protection module related ones generate alerts and other PE dll examination module based legacy agent exceptions don't generate alerts.

That's all I can remember for now 😉

Re: Legacy agent exception and Disable prevention rule

DannyMulheran — Thu, 09 May 2024 21:54:55 GMT

Thanks, really appreciate the reply.

Re: Legacy agent exception and Disable prevention rule

DannyMulheran — Thu, 09 May 2024 21:55:53 GMT

Thanks JM, your response is appreciated.