Block especific Process and Folder/directory

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block especific Process and Folder/directory

L1 Bithead

Hello community,

In our company we have implemented Cortex XDR with Pro per endpoint and pro per terabyte licenses.

the incident response area asks me to verify the viability of applying the following preventive measures in cortex xdr

1st. Block the execution of a specific process by its name without having the hash.

2nd block writing and execution in specific directories. As well as blocking the creation of new folders with a specific name.

Is it possible to perform the previously indicated actions?

Stay tuned.

Best regards.

1 accepted solution

Accepted Solutions

L4 Transporter

Hi @Marcelo_Campos,

 

You should be able to accomplish both using Cortex XDR using the following instructions. On Windows devices, you can prevent the execution of a process by name or path by creating a rule in a restrictions profile and applying that to a policy. To enable, do the following:

  1. Go to Endpoints > Policy Management > Profiles.
  2. Click "New Profile."
  3. Click "Windows" then "Restrictions."
  4. Click "Next."
  5. Give the profile a name.
  6. Go to the "Executable Files" section.
  7. Uncheck "Use Default (Disabled)."
  8. Set the "Action Mode" to Block.
  9. Add the files and folders in the "Block List" section.
  10. Click "Create."
  11. Finish by adding this Restrictions profile to the policy that applied to your target endpoints.

 

For endpoints that do not have Windows as an operating system, you can enable detection of a process using BIOC. Create a BIOC to monitor for a process with a specific name:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "Process."
  4. Type your process name in the "Name" field.
  5. Add any additional identifiers as needed.
  6. Click "Save."
  7. Monitor for BIOC alerts on the alerts table.


As for your second request, you can create a BIOC and convert it into an XDR Agent prevention rule for compatible endpoints by doing the following:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "File"
  4. Type your process name in the "Name" field.
  5. Type your directory in the "Path" field.
  6. Add any additional identifiers as needed.
  7. Click "Save."
  8. Again, go to Rules > BIOC.
  9. Right-click your newly-created BIOC rule.
  10. Click "Add to restrictions profile."
  11. Select the target compatible restrictions profile.
  12. Click "Add"
Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

View solution in original post

2 REPLIES 2

L4 Transporter

Hi @Marcelo_Campos,

 

You should be able to accomplish both using Cortex XDR using the following instructions. On Windows devices, you can prevent the execution of a process by name or path by creating a rule in a restrictions profile and applying that to a policy. To enable, do the following:

  1. Go to Endpoints > Policy Management > Profiles.
  2. Click "New Profile."
  3. Click "Windows" then "Restrictions."
  4. Click "Next."
  5. Give the profile a name.
  6. Go to the "Executable Files" section.
  7. Uncheck "Use Default (Disabled)."
  8. Set the "Action Mode" to Block.
  9. Add the files and folders in the "Block List" section.
  10. Click "Create."
  11. Finish by adding this Restrictions profile to the policy that applied to your target endpoints.

 

For endpoints that do not have Windows as an operating system, you can enable detection of a process using BIOC. Create a BIOC to monitor for a process with a specific name:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "Process."
  4. Type your process name in the "Name" field.
  5. Add any additional identifiers as needed.
  6. Click "Save."
  7. Monitor for BIOC alerts on the alerts table.


As for your second request, you can create a BIOC and convert it into an XDR Agent prevention rule for compatible endpoints by doing the following:

  1. Go to Rules > BIOC.
  2. Click "Add BIOC."
  3. Click "File"
  4. Type your process name in the "Name" field.
  5. Type your directory in the "Path" field.
  6. Add any additional identifiers as needed.
  7. Click "Save."
  8. Again, go to Rules > BIOC.
  9. Right-click your newly-created BIOC rule.
  10. Click "Add to restrictions profile."
  11. Select the target compatible restrictions profile.
  12. Click "Add"
Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

L0 Member
  • 1 accepted solution
  • 5538 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!