topic Re: Process Explorer Triggering Cortex XDR Alert – Clarification Needed in Cortex XDR Discussions

Process Explorer Triggering Cortex XDR Alert – Clarification Needed

tlmarques — Wed, 30 Apr 2025 09:49:01 GMT

Hi,

When our system administration team uses Process Explorer (Microsoft version), does not block the execution, but it generates alerts/incidents.

Alert Details:

Alert Name: Impair Defenses - 3645069560
Description: A tampering-capable driver with the original name procexp.sys was loaded on the system
Source: XDR Agent
Module: Behavioral Threat Protection
Category: Malware
Severity: High
Action: Prevented (Blocked)
Agent Version: 8.7.0.7735
Content Version: 1750-15130

My questions are:

Is there a way to prevent this alert from being triggered when using legitimate tools like Process Explorer?
Why is the software still able to run, even though the driver is flagged as vulnerable or tampering-capable?

Thanks in advance for your support.

Re: Process Explorer Triggering Cortex XDR Alert – Clarification Needed

tlmarques — Fri, 02 May 2025 11:04:25 GMT

From the logs, I see that the load of 'procexp.sys' was blocked by XDR. The BTP rule that blocked this activity was introduced in CU 640 aims to protect our agent from a potential vulnerability that could be exploited by the "procexp.sys" driver. When used maliciously, this driver's kernel functions could pose a risk to our agent. As a precaution, when this driver is being loaded by any application, the agent will prevent its loading but will allow the application itself to run (the source process will not be terminated).

The "procexp.sys" driver is commonly associated with tools like "Process Explorer" (procexp.exe). The driver is loaded when these applications are executed with administrative privileges, triggering an alert..