topic Re: BTD - PROCEXP152.SYS - Vulnerable Driver Loaded in Cortex XDR Discussions

BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

Panagiss — Tue, 20 Jun 2023 13:07:09 GMT

Cortex blocked driver PROCEXP152.SYS from being loaded (rule: sync.vulnerable_driver_by_original_name_loaded_procexp)
The thing it that this is a signed microsoft driver and it's kind of a known situation for many other vendors.

Links: Process Explorer - ProcExp152.sys Driver Flagged As Vulnerable - Microsoft Q&A , SentinelOne annoyance! : r/sysadmin (reddit.com)

Does anyone seen this in Cortex before? What it's the best thing to do?

Thanks

Re: BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

afurze — Tue, 20 Jun 2023 15:37:33 GMT

Hi Panagiss,

Cortex XDR is indicating that this is a vulnerable driver, not that it is not a legitimate driver (we're not disputing that it's signed by MS). A common tactic used by attackers is to take advantage of highly trusted binaries which are vulnerable to abuse to perform actions like killing EDR tools. There are many examples of executables which are vulnerable to misuse, including older versions of the process explorer binary. To prevent misuse, Cortex XDR blocks loading of vulnerable versions of this executable by default.

If you want to allow this driver to be loaded in your environment, you can create a Disable Prevention Rule and (optionally) an Alert Exclusion to allow the driver to be loaded and suppress associated alerts from the console. Keep in mind that this will create a risk for your organization as attackers could exploit this driver to kill Cortex XDR on the endpoint they have gained access to.

Re: BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

Davide_Mattei — Fri, 07 Feb 2025 11:09:54 GMT

Hi Afurze,

thanks a lot for this topic, i'm starting to work with Cortex XDR, and i found this topic, and just for my information(in a learning mode in my lab), i wan't to test creating an Disable prevention rule, to allow driver procexp152.sys to be load, but i didn't find where or how to create it.

Contacting support they sent me a Support Exception Rules, but what i want is to understand how to create it manually for future investigation and not import a rule received from support.

Thanks a lot if you can help me.

Re: BTD - PROCEXP152.SYS - Vulnerable Driver Loaded

N.Patel578121 — Sat, 14 Jun 2025 04:29:57 GMT

Since Process Explorer can run without loading the procexp.sys driver, does that mean we can safely block procexp.sys or procexp152.sys without affecting its core functionality? Or does Process Explorer lose important features without the driver?