Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-08-2024 09:51 PM
What is the difference between Legacy agent exception and Disable prevention rules?
This was asked in another discussion but the answer does not resolve the question asked (https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/exception-and-exclusion-tips-amp-trick-b... )
Thanks
Danny
05-09-2024 10:04 AM
Disable prevention rules are more granular compared to legacy agent exceptions.
Legacy agent exceptions Target the hole module like pe dll examination where as disable prevention rules would Target specific protections within that..like we can do wildfire detection, wildfire post detection, local analysis etc..
Disable prevention rules generate an alert even after allowing the activities where as legacy agent exceptions mostly don't generate alerts and allow a process to run.(E.g global behavior protection based legacy exception or credential protection module related ones generate alerts and other PE dll examination module based legacy agent exceptions don't generate alerts.
That's all I can remember for now 😉
05-09-2024 05:08 AM
Hi @DannyMulheran, thanks for reaching us using the Live Community.
The Disable Prevention Rules applies to agents only from version 7.9 and above.
The Legacy Agent Exceptions also applies to older agent versions.
If this post answers your question, please mark it as the solution.
05-09-2024 10:04 AM
Disable prevention rules are more granular compared to legacy agent exceptions.
Legacy agent exceptions Target the hole module like pe dll examination where as disable prevention rules would Target specific protections within that..like we can do wildfire detection, wildfire post detection, local analysis etc..
Disable prevention rules generate an alert even after allowing the activities where as legacy agent exceptions mostly don't generate alerts and allow a process to run.(E.g global behavior protection based legacy exception or credential protection module related ones generate alerts and other PE dll examination module based legacy agent exceptions don't generate alerts.
That's all I can remember for now 😉
05-09-2024 02:54 PM
Thanks, really appreciate the reply.
05-09-2024 02:55 PM
Thanks JM, your response is appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
