This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

using XDR to block older versions of an application

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

using XDR to block older versions of an application

bjchappell
L0 Member

‎05-11-2023 02:24 PM

I'm attempting to use XDR to block older versions of an application, and only allow the few latest releases. There are hundreds of older versions of this application so blocking each one by hash is not really an option. Also the application's install path and process executable have the same name with every version so blocking by path or executable name is not an option. I've been trying to create either a process BIOC to block the installed exe's of the older versions or a file BIOC to prevent the installer of the older versions to run, but I'm fairly new to XDR and XQL so I haven't had luck getting either one to work properly. Anyone have any experience with a task like this or a good reference to use for assistance?   

0 Likes Likes
2 REPLIES 2

mavraham
L4 Transporter

‎05-14-2023 04:58 AM

Hi @bjchappell and thank you for writing to Live Community.

Since you mentioned hundreds of of older versions of this app, but you want to enable only a select few, have you considered tacking this from a different perspective?

You can try blocking all versions of the application using a prevention profile  and only allow-list the last few versions by hash. Of course, this also means you will have to keep the allow-list up to date whenever a new version is released.

Hope this helps!

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

bbarmanroy
L5 Sessionator

‎05-14-2023 08:06 PM

How about using a BIOC where the filename and path match but the hashes don't match? The hashes in the list should be the ones approved for use, and the condition should be "!=". Essentially, that'd pinpoint all executions where the filename and path match but the approved hashes won't be detected. The allowed list of hashes is known to you, finite and is updated on a periodic basis based on your organization's compliance requirement.

 

Here's a sample BIOC based on a previously accepted solution (see answer to 2nd request): Make the changes in the BIOC definition to meet your requirements. When you click "Test", you should be able to see the events that are detected by the BIOC.

bbarmanroy_0-1684119671790.png

You can append additional hashes by separating them with a "|" sign (unicode here).

 

Add the finalized BIOC to a restrictions profile. That should do the trick.

0 Likes Likes
  • 1205 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks