using XDR to block older versions of an application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

using XDR to block older versions of an application

L0 Member

I'm attempting to use XDR to block older versions of an application, and only allow the few latest releases. There are hundreds of older versions of this application so blocking each one by hash is not really an option. Also the application's install path and process executable have the same name with every version so blocking by path or executable name is not an option. I've been trying to create either a process BIOC to block the installed exe's of the older versions or a file BIOC to prevent the installer of the older versions to run, but I'm fairly new to XDR and XQL so I haven't had luck getting either one to work properly. Anyone have any experience with a task like this or a good reference to use for assistance?   

2 REPLIES 2

L4 Transporter

Hi @bjchappell and thank you for writing to Live Community.

Since you mentioned hundreds of of older versions of this app, but you want to enable only a select few, have you considered tacking this from a different perspective?

You can try blocking all versions of the application using a prevention profile  and only allow-list the last few versions by hash. Of course, this also means you will have to keep the allow-list up to date whenever a new version is released.

Hope this helps!

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

L5 Sessionator

How about using a BIOC where the filename and path match but the hashes don't match? The hashes in the list should be the ones approved for use, and the condition should be "!=". Essentially, that'd pinpoint all executions where the filename and path match but the approved hashes won't be detected. The allowed list of hashes is known to you, finite and is updated on a periodic basis based on your organization's compliance requirement.

 

Here's a sample BIOC based on a previously accepted solution (see answer to 2nd request): Make the changes in the BIOC definition to meet your requirements. When you click "Test", you should be able to see the events that are detected by the BIOC.

bbarmanroy_0-1684119671790.png

You can append additional hashes by separating them with a "|" sign (unicode here).

 

Add the finalized BIOC to a restrictions profile. That should do the trick.

  • 1287 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!