https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997012#M7552 <P><SPAN>Hello,</SPAN><BR /><SPAN>I've two questions.</SPAN><BR /><BR /><SPAN>First, I would like to know about your experience. How do you handle uninstalling software on specific devices that are not allowed and need to be removed via&nbsp;</SPAN><A id="hoverCardLink" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XDR/pd-p/Cortex_XDR" target="_blank">Cortex XDR</A><SPAN>&nbsp;</SPAN><SPAN>&nbsp;without the user noticing?</SPAN><BR /><BR /><SPAN>The second question is: Is it possible to block apps? For example, I don’t want users to install Wireshark. Can it be blocked</SPAN></P> Fri, 06 Dec 2024 18:46:50 GMT tlmarques 2024-12-06T18:46:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997012#M7552 <P><SPAN>Hello,</SPAN><BR /><SPAN>I've two questions.</SPAN><BR /><BR /><SPAN>First, I would like to know about your experience. How do you handle uninstalling software on specific devices that are not allowed and need to be removed via&nbsp;</SPAN><A id="hoverCardLink" class="lia-link-navigation lia-product-hover-card-link lia-product-mention lia-tooltip-trigger" href="https://live.paloaltonetworks.com/t5/c-twzvq79624/Cortex+XDR/pd-p/Cortex_XDR" target="_blank">Cortex XDR</A><SPAN>&nbsp;</SPAN><SPAN>&nbsp;without the user noticing?</SPAN><BR /><BR /><SPAN>The second question is: Is it possible to block apps? For example, I don’t want users to install Wireshark. Can it be blocked</SPAN></P> Fri, 06 Dec 2024 18:46:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997012#M7552 tlmarques 2024-12-06T18:46:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997023#M7553 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>Both use cases are not supported as an OOTB feature, as the XDR solutions aims to prevent malware and alert on suspicious behavior in processes (and many etcetera).</P> <P>&nbsp;</P> <P>Anyway, it can be achieved with workarounds like <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Run-scripts-on-an-endpoint" target="_self">running custom scripts</A> for the first case, and creating <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule" target="_self">custom BIOC rules</A> to block the Wireshark executable by signer.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Fri, 06 Dec 2024 19:50:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997023#M7553 jmazzeo 2024-12-06T19:50:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997244#M7558 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp; thnks for your help.</P> <P>&nbsp;</P> <P>In my company, we have issues with some users installing prohibited applications (e.g., Chrome, Wireshark). I want to either remove these apps or create a policy to block them every time they are launched.</P> <P>Is it possible to create a BIOC rule and apply it to specific groups? Or would it be better to use an XQL query to exclude endpoints by name using the initiator field?</P> Mon, 09 Dec 2024 14:30:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997244#M7558 tlmarques 2024-12-09T14:30:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997254#M7560 <P>i've solved the exexcution with this:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgyMCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgyMCAS</A></P> <P>&nbsp;</P> Mon, 09 Dec 2024 15:40:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997254#M7560 tlmarques 2024-12-09T15:40:27Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997255#M7561 <P>That's great, that is the approach I mentioned in my previous post, using BIOC rules.</P> <P>&nbsp;</P> <P>You can apply the Restriction Profiles with the BIOC rules assigned to block to any different <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Define-Endpoint-Groups" target="_self">Endpoint Groups</A> that you can configure from the console, or you can use your directory OUs or Groups (if applies) using the <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Set-Up-Cloud-Identity-Engine" target="_self">CIE integration</A>.</P> Mon, 09 Dec 2024 15:46:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-remove-softwares-with-xdr/m-p/997255#M7561 jmazzeo 2024-12-09T15:46:19Z