https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/lsa-protection-and-antimalware-dll-loading/m-p/1000697#M7683 <P>We currently have deployed LSA Protection and code integrity in Windows 11 (build 24H2).</P> <P>Cortex XDR agent 8.6.0 is installed. When trying to load a DLL from another security tool (Ivanti Device and Application Control), Code Integrity is blocking the action with the following error:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG>Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Palo Alto Networks\Traps\cyserver.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\sxwmon64.dll that did not meet the Custom 3 / Antimalware signing level requirements.</STRONG></P> <P>&nbsp;</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65109iE60937A8A27E3141/image-size/medium?v=v2&amp;px=400" role="button" title="error.PNG" alt="error.PNG" /></span></P> <P>&nbsp;</P> <P>Antimalware signing requirements are documented here, and the following statement may be related :&nbsp;<A href="https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-#anti-malware-service-signing-requirements" target="_blank" rel="noopener">Protecting anti-malware services - Win32 apps | Microsoft Learn</A></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG>The user-mode service that needs to be launched as protected must be signed with valid certificates. <FONT color="#FF0000">The service EXE must be page hash signed, and any non-Windows DLLs that get loaded into the service must be also signed with the same certificates</FONT>. The hash of these certificates must be added into the resource file, which will be linked into the ELAM driver.</STRONG></P> <P>&nbsp;</P> <P>Any recommendation?</P> <P>&nbsp;</P> <P>Thank you</P> Wed, 08 Jan 2025 14:36:31 GMT maxime_ch 2025-01-08T14:36:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/lsa-protection-and-antimalware-dll-loading/m-p/1000697#M7683 <P>We currently have deployed LSA Protection and code integrity in Windows 11 (build 24H2).</P> <P>Cortex XDR agent 8.6.0 is installed. When trying to load a DLL from another security tool (Ivanti Device and Application Control), Code Integrity is blocking the action with the following error:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG>Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Palo Alto Networks\Traps\cyserver.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\sxwmon64.dll that did not meet the Custom 3 / Antimalware signing level requirements.</STRONG></P> <P>&nbsp;</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error.PNG" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65109iE60937A8A27E3141/image-size/medium?v=v2&amp;px=400" role="button" title="error.PNG" alt="error.PNG" /></span></P> <P>&nbsp;</P> <P>Antimalware signing requirements are documented here, and the following statement may be related :&nbsp;<A href="https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-#anti-malware-service-signing-requirements" target="_blank" rel="noopener">Protecting anti-malware services - Win32 apps | Microsoft Learn</A></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG>The user-mode service that needs to be launched as protected must be signed with valid certificates. <FONT color="#FF0000">The service EXE must be page hash signed, and any non-Windows DLLs that get loaded into the service must be also signed with the same certificates</FONT>. The hash of these certificates must be added into the resource file, which will be linked into the ELAM driver.</STRONG></P> <P>&nbsp;</P> <P>Any recommendation?</P> <P>&nbsp;</P> <P>Thank you</P> Wed, 08 Jan 2025 14:36:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/lsa-protection-and-antimalware-dll-loading/m-p/1000697#M7683 maxime_ch 2025-01-08T14:36:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/lsa-protection-and-antimalware-dll-loading/m-p/1085867#M7748 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/679637683">@maxime_ch</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>That's an expected behavior in the XDR agent. Can you create an exception for this case in the LSA Protection managing tool?</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 15 Jan 2025 17:50:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/lsa-protection-and-antimalware-dll-loading/m-p/1085867#M7748 jmazzeo 2025-01-15T17:50:19Z