Block especific Process and Folder/directory

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Marcelo_Campos
L0 Member

Block especific Process and Folder/directory

Hello community,

In our company we have implemented Cortex XDR with Pro per endpoint and pro per terabyte licenses.

the incident response area asks me to verify the viability of applying the following preventive measures in cortex xdr

1st. Block the execution of a specific process by its name without having the hash.

2nd block writing and execution in specific directories. As well as blocking the creation of new folders with a specific name.

Is it possible to perform the previously indicated actions?

Stay tuned.

Best regards.

Tags (1)

Accepted Solutions
gjenkins
L4 Transporter

Hi @Marcelo_Campos,

 

You should be able to accomplish both using Cortex XDR using the following instructions. On Windows devices, you can prevent the execution of a process by name or path by creating a rule in a restrictions profile and applying that to a policy. To enable, do the following:

  1. Go to Endpoints > Policy Management > Profiles.
  2. Click "New Profile."
  3. Click "Windows" then "Restrictions."
  4. Click "Next."
  5. Give the profile a name.
  6. Go to the "Executable Files" section.
  7. Uncheck "Use Default (Disabled)."
  8. Set the "Action Mode" to Block.
  9. Add the files and folders in the "Block List" section.
  10. Click "Create."
  11. Finish by adding this Restrictions profile to the policy that applied to your target endpoints.

 

For endpoints that do not have Windows as an operating system, you can enable detection of a process using BIOC. Create a BIOC to monitor for a process with a specific name:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "Process."
  4. Type your process name in the "Name" field.
  5. Add any additional identifiers as needed.
  6. Click "Save."
  7. Monitor for BIOC alerts on the alerts table.


As for your second request, you can create a BIOC and convert it into an XDR Agent prevention rule for compatible endpoints by doing the following:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "File"
  4. Type your process name in the "Name" field.
  5. Type your directory in the "Path" field.
  6. Add any additional identifiers as needed.
  7. Click "Save."
  8. Again, go to Rules > BIOC.
  9. Right-click your newly-created BIOC rule.
  10. Click "Add to restrictions profile."
  11. Select the target compatible restrictions profile.
  12. Click "Add"
--gjenkins

View solution in original post


All Replies
gjenkins
L4 Transporter

Hi @Marcelo_Campos,

 

You should be able to accomplish both using Cortex XDR using the following instructions. On Windows devices, you can prevent the execution of a process by name or path by creating a rule in a restrictions profile and applying that to a policy. To enable, do the following:

  1. Go to Endpoints > Policy Management > Profiles.
  2. Click "New Profile."
  3. Click "Windows" then "Restrictions."
  4. Click "Next."
  5. Give the profile a name.
  6. Go to the "Executable Files" section.
  7. Uncheck "Use Default (Disabled)."
  8. Set the "Action Mode" to Block.
  9. Add the files and folders in the "Block List" section.
  10. Click "Create."
  11. Finish by adding this Restrictions profile to the policy that applied to your target endpoints.

 

For endpoints that do not have Windows as an operating system, you can enable detection of a process using BIOC. Create a BIOC to monitor for a process with a specific name:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "Process."
  4. Type your process name in the "Name" field.
  5. Add any additional identifiers as needed.
  6. Click "Save."
  7. Monitor for BIOC alerts on the alerts table.


As for your second request, you can create a BIOC and convert it into an XDR Agent prevention rule for compatible endpoints by doing the following:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "File"
  4. Type your process name in the "Name" field.
  5. Type your directory in the "Path" field.
  6. Add any additional identifiers as needed.
  7. Click "Save."
  8. Again, go to Rules > BIOC.
  9. Right-click your newly-created BIOC rule.
  10. Click "Add to restrictions profile."
  11. Select the target compatible restrictions profile.
  12. Click "Add"
--gjenkins

View solution in original post

calroy
L0 Member
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!