prevent exe application to install in a system via cortex xdr agent

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

prevent exe application to install in a system via cortex xdr agent

L2 Linker

Hi,

 

Can we prevent any .exe for e.g. anydesk application for installation in a system if the cortex XDR agent is installed, if it does how to configure it? 

Thanks and Regards,
OK.
9 REPLIES 9

L2 Linker

I see two ways of accomplishing this.

 

1. You can configure your restriction policy by specifying something like *\<name_of_file>   in the Executable Files section -> Files / Folders in Block List.

2. You can create a BIOC Rule that targets that process and apply it to Restriction policy: 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

 

Best,

D

 

L2 Linker

I was hoping to do this with Cortex-XDR Prevent by blocking programs from running from the user profile, but the hashes change too often. I was hoping we could block everything from running and then allow some signed applications to run from the user profile.  I have had AppLocker on the list for some time to learn about.

 

For what you just described, I indeed would favor AppLocked approach, since it is designed to perform this.

 

I am not sure about specifics of XDR Prevent, probably does not have all the capabilities that Pro Per Endpoint or Pro Per TB editions, but don't you have in your XDR Interface the option to configure 'Restrictions Profile'? It is in Endpoints -> Policy Management -> Profiles. You locate the Restrictions profile and Edit it.


There you will find Executable Files paragraph where it asks you to input Files / FOLDERS in BLOCK LIST or in ALLOW LIST. So perhaps you could leverage this to specify that any executable within %USERPROFILE% is on BLOCK LIST.


Is that not possible in XDR Prevent?

 

Best,

D

Forgot to add before:
I think the Block-listing approach is probably not the best, because I haven't tested the combination of Blocking everything in a specified folder, but then allowing a specific .EXE to run in that same folder. Not sure what takes precedence: does XDR first check the allowed list and then moves on to check the block list or vice versa.

 

However, maybe you could configure it in a Allow-list approach by defining a Folder where you would allow the executables to run and everything else is blocked. But probably that is a bit to cumbersome to manage for end-users. Or even specific Files, which is (I think) similar to AppLocker approach.

 

Yes, Cortex XDR Prevent's Restrictions profile works as you described -- I tested the setup last week.  The issue is that it is a maintenance nightmare...it was not really designed with this in mind.  You can stop all .EXE files from running from the user profile, but to allow some to run is based on the filename/hash.  AppLocker should allow me to setup things so that .EXE files signed by GotoMeeting are allowed, but not others. Oh, and Microsoft keeps stuffing Office 365 stuff under the user profile like Teams, OneDrive, etc.

 @EddieRowe Hm. Then the last thing that comes to mind is to create a Prevention BIOC rule which you can apply to Restriction Profile.

You'd create a BIOC something like:
Process name: *.exe

Path: %USERPROFILE% (and any other path you want to prevent EXEs to not run)

Signature: SIGNED

Signer: NOT 'GoToMeetings' (etc.)

 

Then you set it in Restriction Profile as the Prevention Rule. This means that everytime an EXE process will execute that is in %USERPROFILE% and it is NOT signed by GoToMettings --> block the execution.

 

Maybe this could help you. But if you already decided on AppLocker, then never mind.

 

Best,

D

OH crap! I forgot. The 'Prevent' license probably does not have the option to create BIOCs? Have no experience with Prevent license type, my bad. 

I appreciate the info - Pro was way outside of our budget.  I thought for a moment I had overlooked something (and the Palo Alto person who helped with the PoC didn't share this) so it nice to get confirmation I should not see the BIOC options on the web console.

L0 Member

Thanks for the update and quick reply. I'll be sure to keep an eye on this thread dqfansurvey.

  • 8811 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!