https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/ta-p/523556 <P>&nbsp;</P> <P><SPAN>In this proof of concept (PoC), we'll take a look at using <A href="https://live.paloaltonetworks.com/t5/cortex-xdr/ct-p/Cortex_XDR" target="_self">Cortex XDR</A> to block software installations in a test environment. </SPAN></P> <P>&nbsp;</P> <P><SPAN>This PoC focuses on blocking files that use the .msi and .exe file extensions. These file types are widely used for common software installations and should serve to cover a broad base of applications. For testing, four executable files will be installed: Two .msi and two .exe files. From there, we’ll try to find anything we can use to block the installations. We're also going to focus on BIOC’s and prevent the execution of these files and their associated processes.</SPAN></P> <P><SPAN><BR /></SPAN><FONT color="#000000"><EM>Please note: These processes were tested in a lab environment. Any attempt to reproduce the process described in this article may have various results.</EM></FONT></P> <P>&nbsp;</P> <H2 class="lia-message-template-content-zone"><FONT color="#FF6600"><STRONG>Cortex XDR PoC: Software Installations Blocking Prerequisites</STRONG></FONT></H2> <P>&nbsp;</P> <P><STRONG>For this PoC the following will be required in your environment:</STRONG></P> <UL> <LI><SPAN>Windows Endpoints</SPAN></LI> <LI><SPAN>Cortex XDR Pro per Endpoint</SPAN></LI> </UL> <P>&nbsp;</P> <H4><STRONG>Files Used:</STRONG></H4> <UL> <LI><SPAN>Google Chrome - ChromeSetup.exe</SPAN></LI> <LI><SPAN>VLC Media Player - vlc-3.0.17.4-win64</SPAN></LI> <LI><SPAN>Firefox Browser - Firefox Setup 14.0.1.msi</SPAN></LI> <LI><SPAN>Zoom - ZoomInstallerFull.msi</SPAN></LI> </UL> <P>&nbsp;</P> <H3><FONT color="#000000"><STRONG>What is a Software Installation?</STRONG></FONT></H3> <P>&nbsp;</P> <P><SPAN><FONT color="#333300">Installation typically involves code (program) being copied/generated from the installation files to new files on the local computer. It provides easier access via the operating system — creating necessary directories, registering environment variables, providing separate programs for un-installation, etc.</FONT> Because code is generally copied/generated in multiple locations, uninstallation often involves more than just erasing the program folder. For example, registry files and other system code may need to be modified or deleted for a complete uninstallation.</SPAN></P> <P>&nbsp;</P> <H4><SPAN>Installation Files&nbsp;</SPAN></H4> <P><SPAN>The most common types of installation files are .msi and .exe. These will be the focus of this PoC. Other types of installation files exist such as .bat, .com, .cmd, .inf and .run, but for this PoC we’re only going to focus on .msi and .exe as they’re the more prevalent types of installation files available.&nbsp;&nbsp;<BR /><BR /></SPAN></P> <H4><FONT color="#000000"><STRONG>What is an EXE file?</STRONG></FONT></H4> <P><SPAN>The .exe extension may be one of the most easily recognizable file formats in existence. An executable file (EXE file) is a computer file that contains an encoded sequence of instructions that the system can execute directly when the user clicks the file icon. Executable files commonly have an EXE file extension, but there are hundreds of other executable file formats.</SPAN></P> <P>&nbsp;</P> <P><SPAN>With Windows, EXE is the file extension for an executable file. All EXE files are executable files, but not all executable files are EXE files.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Executable files with the .exe extension also come in different types such as portable executables.&nbsp; For this PoC we’re going to focus on installation files and not any of the other types.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below is an image of the contents of the VLC Media Player install file with its contents extracted using the 7 zip utility.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_14-1670437404874.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45967i01967CA6B4FBC77E/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_14-1670437404874.png" alt="rtsedaka_14-1670437404874.png" /></span></P> <P>&nbsp;</P> <H4><FONT color="#000000"><STRONG>What is an MSI file?</STRONG></FONT></H4> <P><SPAN>An MSI file is a Windows package that contains installation information for a particular installer, including files to be installed and installation locations. It may be used for Windows updates or third-party software installers.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Windows uses the Windows Installer program to open MSI files. This program was previously named the Microsoft Installer, which is what gave MSI files their name.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below is an image of using the 7 zip utility to extract the files inside of Firefox Setup 14.0.1.msi.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_15-1670437404938.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45968iD36D399EB1EBE201/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_15-1670437404938.png" alt="rtsedaka_15-1670437404938.png" /></span></P> <H4><BR /><FONT color="#000000"><STRONG>MSI vs. EXE files</STRONG></FONT></H4> <P><SPAN>Developers may save Windows application installers as .MSI files instead of EXE files. MSI files are similar to EXE files, except they always contain application installers. They never contain Windows applications or other programs. Windows always uses Windows Installer (a utility included with Windows) to open MSI files and install the program they contain.</SPAN></P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG>EXE Software Installations in Cortex XDR</STRONG></FONT></H2> <P>&nbsp;</P> <P><SPAN>Chrome and VLC Media Player are now going to be installed on the test machines.&nbsp; Once that’s completed we can investigate the causality chain and see if there are any interesting characteristics that we can hone in on.&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below are the Causality chains for the install of our two installation files for Google Chrome and VLC Media Player respectively.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_0-1672679859977.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/46588iC10EE880C16927F0/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_0-1672679859977.png" alt="rtsedaka_0-1672679859977.png" /></span></P> <H6>Causality chain for Google Chrome installation</H6> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_17-1670437404810.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45971i475382CD1722BFE7/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_17-1670437404810.png" alt="rtsedaka_17-1670437404810.png" /></span></P> <H6><SPAN>Causality chain for VLC Media Player installation</SPAN></H6> <P>&nbsp;</P> <P><SPAN>At first glance nothing seems to pop out.&nbsp; After going through things like file actions, registry modifications and processes there don’t appear to be any similarities.&nbsp; We did see something interesting in the target_process_cmd for chrome set up, though:</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_18-1670437404876.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45970i6FF93CC74ACC3257/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_18-1670437404876.png" alt="rtsedaka_18-1670437404876.png" /></span></P> <H6>Use of a /install flag<BR /><BR /></H6> <P><SPAN>The use of the /install flag is not something that has been seen in all software installations, but it may be something we can use later.<BR /><BR /></SPAN></P> <H2><FONT color="#FF6600"><STRONG>MSI Software Installations in Cortex XDR</STRONG></FONT></H2> <P>&nbsp;</P> <P><SPAN>The aforementioned .msi files have now been installed on our test host. Now we’ll take a look at the installations of all files and see if we can discern any useful information about them that will help us block the installation of these files on another test machine.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Let’s begin by first looking at our .msi files. We’re going to do a simple query to pull up all the data on our endpoint over the previous 24 hours.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>By navigating to Incident Response -&gt; Query Builder we can select ‘Process’.&nbsp; From there we’re going to type in the name of the test machine and run the search.</SPAN></P> <P>&nbsp;</P> <H6><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_19-1670437405004.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45972iB7A8DF01BDE66437/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_19-1670437405004.png" alt="rtsedaka_19-1670437405004.png" /></span>Select Process after selecting query builder</H6> <P>&nbsp;</P> <H6><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_20-1670437404873.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45976iA5E3A55DA2A090AF/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_20-1670437404873.png" alt="rtsedaka_20-1670437404873.png" /></span>Querying the test machine's host name</H6> <P>&nbsp;</P> <P><SPAN>Once the search is run we can filter through the results by narrowing down on ‘target_process_cmd’ and selecting any entry that contains .msi as seen below.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_21-1670437405005.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45974i09101BF88F705032/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_21-1670437405005.png" alt="rtsedaka_21-1670437405005.png" /></span></P> <H6><SPAN>Query results for msi files</SPAN></H6> <P>&nbsp;</P> <P><SPAN>The images below represent the causality chain for the install of our two MSI files.&nbsp; Looking at these two images we can quickly see a similarity.&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_22-1670437404993.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45973i04F42F42B05974A6/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_22-1670437404993.png" alt="rtsedaka_22-1670437404993.png" /></span></P> <H6>Causality<SPAN>&nbsp;chain for zoom msi installer</SPAN></H6> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_23-1670437405002.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45979i3D76385EBC0FD757/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_23-1670437405002.png" alt="rtsedaka_23-1670437405002.png" /></span></P> <H6>Causality<SPAN>&nbsp;chain for Firefox msi installer</SPAN></H6> <P>&nbsp;</P> <P><SPAN>The command that executed the install for these files uses a file called msiexec.exe with a flag and then the location of our installation files.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_24-1670437404953.png" style="width: 568px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45977i46C8BAFA66692CF6/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_24-1670437404953.png" alt="rtsedaka_24-1670437404953.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_25-1670437404931.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45978i9957E4B96238085B/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_25-1670437404931.png" alt="rtsedaka_25-1670437404931.png" /></span></P> <H2>&nbsp;</H2> <H3><FONT color="#000000"><STRONG>What is msiexec.exe?</STRONG></FONT></H3> <P>&nbsp;</P> <P><SPAN>The genuine msiexec.exe file is a software component of Microsoft Windows by Microsoft.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Microsoft Windows is an operating system. Windows Installer is an application programming and software component of Microsoft Windows. Msiexec.exe is part of the Windows Installer utility and is used to install MSI and MSP packages, and is completely safe for your PC.</SPAN></P> <P>&nbsp;</P> <P><SPAN>In our install example we saw the /i flag being used which is the flag for a normal installation.&nbsp; Below is a table that describes the syntax for msiexec.exe&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_26-1670437404936.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45981iAEB1E5A1BD4A249E/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_26-1670437404936.png" alt="rtsedaka_26-1670437404936.png" /></span></P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG>Blocking .exe Installation Using Cortex XDR</STRONG></FONT></H2> <P>&nbsp;</P> <P><SPAN>When it came to our .exe installations, we didn’t see any similarity between the two files we chose for this PoC.&nbsp; In actuality, several different applications were installed into our test machine and, after analyzing the data, I’ve concluded that while some installations can be blocked there is no one-size fits all for this.</SPAN></P> <P>&nbsp;</P> <P><SPAN>While looking at the installation for Google Chrome we did notice the use of a flag /install.&nbsp; This could be used to stop the installation of Google Chrome.&nbsp; By creating BIOC, focusing on process execution and setting CMD =~ install.&nbsp; This BIOC will stop the install of Google Chrome and an installer that uses the same flag.&nbsp; Again, in our testing Google Chrome was the only application that used the flag on install.&nbsp; This will work for our specific application, but be warned it may have the undesired consequences in your environment.&nbsp; Testing in a non production environment should be used before trying to apply a rule like this.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Another avenue which could be used is a BIOC that would block the execution of any files that have the .exe extension.&nbsp; However, during testing this proved to be troublesome.&nbsp; Windows relies on a lot of files in the background that run without the user ever seeing them.&nbsp; Some of these are crucial to basic windows functionality.&nbsp; Blocking the execution of any .exe program will undoubtedly cause unexpected issues as it did during testing.</SPAN></P> <P>&nbsp;</P> <P><SPAN>There’s also the use of CMD.&nbsp; For the install of all of the software during this testing we’ve been relying on what commands were used in CMD.&nbsp; What if we just blocked the execution of cmd.exe?&nbsp; Well, that also has some very unexpected consequences.&nbsp; While it does block software installations, it now allows the use of any CMD commands, and also prevents any internet browsing and opening of most programs.&nbsp; This is because CMD is crucial to the Windows operating system.&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>When dealing with known software to block an IOC, a rule can always be used instead by using the full name, file path or hash value.&nbsp; For this PoC the goal is to stop the installation and not just remove the file.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <H2><FONT color="#FF6600"><STRONG>Blocking .msi Installations Using Cortex XDR&nbsp;</STRONG></FONT></H2> <P>&nbsp;</P> <P><SPAN>When it comes to .msi installations we did find some interesting similarities in their execution.&nbsp; We discovered the file msiexec.exe.&nbsp; Creating a BIOC to block the execution of this file should result in blocking any attempts to install applications using the .msi extension.&nbsp; We’ll navigate to Detection Rules -&gt; BIOC and select ‘process’.&nbsp; Once there we’ll type ‘msiexec.exe’ into the name filed under process and create the BIOC.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_27-1670437404954.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45982i4D4AC9AAD1907CE8/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_27-1670437404954.png" alt="rtsedaka_27-1670437404954.png" /></span></P> <H6><SPAN>Using query builder to search for msiexec.exe</SPAN></H6> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_28-1670437405074.png" style="width: 469px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45980i2F69663008C4B2CF/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_28-1670437405074.png" alt="rtsedaka_28-1670437405074.png" /></span></P> <H6><SPAN>Creating BIOC from previous query<BR /><BR /></SPAN></H6> <P><SPAN>Now the rule will be added to our prevention profile and applied to our test machine.</SPAN></P> <P>&nbsp;</P> <P><FONT color="#FF6600"><EM><STRONG>SUCCESS!</STRONG></EM></FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_29-1670437405242.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45984i82C2B90B4ED55986/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_29-1670437405242.png" alt="rtsedaka_29-1670437405242.png" /></span></P> <P>&nbsp;</P> <P><SPAN>After applying the rule to the test machine and attempting to install an application using the .msi extension, it was blocked.&nbsp; Below we can see an image of the alert generated by msiexe.exe. This was tested several times and all resulted in success.&nbsp; </SPAN></P> <P><SPAN>This is because the software installations require the use of msiexec.exe.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rtsedaka_30-1670437405442.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/45983i12F073D58C2445A9/image-size/large?v=v2&amp;px=999" role="button" title="rtsedaka_30-1670437405442.png" alt="rtsedaka_30-1670437405442.png" /></span></P> <H6><SPAN>Alert generated from msiexec.exe BIOC rule<BR /><BR /></SPAN></H6> <H2><FONT color="#FF6600"><STRONG>Cortex XDR PoC: Software Installations Blocking Conclusion</STRONG></FONT></H2> <P>&nbsp;</P> <P><SPAN>In this PoC we demonstrated how Cortex XDR can be used to block software installations. We were successfully able to block .msi installations and had mixed results with .exe installations.</SPAN></P> <P>&nbsp;</P> <P><SPAN>While Cortex XDR can be used to block software installations, there are better ways to achieve this; a great use case for this would be an air-gapped portion of your network that was only used to perform certain specific functions. For production environments I would recommend using Group Policy Objects (GPOs), as they would allow administrators to block all software installations by disallowing users to do things like make registry changes based on user groups. GPOs could be used to block the executions of executable files, but wouldn’t be a recommended use case for Cortex XDR. Based on the testing shown in this PoC Cortex XDR could be used to block .msi based installations. Again, I would caution any user to conduct testing in their own environment before trying this in a production environment.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT color="#FF6600"><STRONG>Cortex XDR PoC: Software Installations Blocking References:</STRONG></FONT></P> <P>&nbsp;</P> <P><A href="https://fileinfo.com/extension/msi" target="_blank" rel="noopener"><SPAN>FileInfo.com: MSI File Extension</SPAN></A></P> <P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule" target="_blank" rel="noopener"><SPAN>Cortex Help Center: Create an IOC Rule</SPAN></A></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule" target="_blank" rel="noopener">Cortex Help Center: Create an BIOC Rule</A></SPAN></P> <P>&nbsp;</P> <P><SPAN><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</SPAN></P> <P>&nbsp;</P> Wed, 15 Feb 2023 21:06:49 GMT rtsedaka 2023-02-15T21:06:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/ta-p/523556 <P>Let's walkthrough a PoC of&nbsp;<SPAN>using Cortex XDR to block software installations —.msi and .exe file extensions — in a test environment.</SPAN></P> Wed, 15 Feb 2023 21:06:49 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/ta-p/523556 rtsedaka 2023-02-15T21:06:49Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/tac-p/525644#M25 <P><FONT size="4">Great post, thanks&nbsp;Rtsedaka</FONT></P><P><FONT size="4"><SPAN class=""><SPAN class="">Any related post on MacOS?</SPAN></SPAN></FONT></P> Tue, 03 Jan 2023 07:40:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/tac-p/525644#M25 mcheung 2023-01-03T07:40:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/tac-p/526355#M28 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/201140">@mcheung</a>,&nbsp;I don't believe there are any posts similar to this related to MacOS.&nbsp; This article details windows as it's a more widely used operating system.&nbsp; I believe the same concepts can be applied to MacOS devices.&nbsp; I would strongly encourage trying this in a lab environment first.</P> Mon, 09 Jan 2023 16:32:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/tac-p/526355#M28 anlynch 2023-01-09T16:32:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/tac-p/530181#M30 <P>I have been looking into this extensively for executable (.exe) installations, I have a solution, but this will probably not be a "one size fits all". The following BIOC presumes the following:</P><P>1. "Normal" users only have write access to 'Downloads', 'Documents' and 'Desktop'</P><P>2. There is a requirement for privileged users (Administrator accounts) to install .exe based applications</P><P>3. the users 'Downloads' and ''Documents' directories are not always on the Root (C:) drive.<BR /><BR />Here is the BIOC that can be added to a restriction Profile.<BR />dataset = xdr_data<BR />| filter event_type = ENUM.PROCESS<BR />// If you use "Tier" accounts, these could be added here.<BR />and action_process_username !~= "^.+[sS][yY][sS][tT][eE][mM]$|^.+[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]$"&nbsp;<BR />and action_process_image_path ~="^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]ownloads\\*.*\\+.*[eE][xX][eE]$|^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]ocuments\\*.*\\+.*[eE][xX][eE]$|^[a-zA-Z]:\\[uU][sS][eE][rR][sS]\\*.*\\[dD]esktop\\*.*\\+.*[eE][xX][eE]$"<BR /><BR /></P><P>&nbsp;</P><P>If you use "Tier" accounts, these could be added to the regex for 'action_process_username' exception</P><P>Feedback and or suggestions are welcom,</P><P>&nbsp;</P><P>Cheers</P><P>Phil</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 07 Feb 2023 20:03:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-articles/cortex-xdr-poc-software-installations-blocking/tac-p/530181#M30 PhilBenson 2023-02-07T20:03:21Z