04-30-2025 02:49 AM
Hi,
When our system administration team uses Process Explorer (Microsoft version), Cortex XDR does not block the execution, but it generates alerts/incidents.
Alert Details:
Alert Name: Impair Defenses - 3645069560
Description: A tampering-capable driver with the original name procexp.sys was loaded on the system
Source: XDR Agent
Module: Behavioral Threat Protection
Category: Malware
Severity: High
Action: Prevented (Blocked)
Agent Version: 8.7.0.7735
Content Version: 1750-15130
My questions are:
Is there a way to prevent this alert from being triggered when using legitimate tools like Process Explorer?
Why is the software still able to run, even though the driver is flagged as vulnerable or tampering-capable?
Thanks in advance for your support.
05-02-2025 04:04 AM
From the logs, I see that the load of 'procexp.sys' was blocked by XDR. The BTP rule that blocked this activity was introduced in CU 640 aims to protect our agent from a potential vulnerability that could be exploited by the "procexp.sys" driver. When used maliciously, this driver's kernel functions could pose a risk to our agent. As a precaution, when this driver is being loaded by any application, the agent will prevent its loading but will allow the application itself to run (the source process will not be terminated).
The "procexp.sys" driver is commonly associated with tools like "Process Explorer" (procexp.exe). The driver is loaded when these applications are executed with administrative privileges, triggering an alert..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
