01-08-2021 04:45 AM
Hello,
Configuring host firewall via XDR and I cannot seem to get the Windows environment variables running.
Basically, there's an implicit deny for inbound/outbound connections, so there are applications that require some internal/localhost connections that are blocked. Due to this specific allow rule for such an application has to be made - based on the application path.
Specific application I'm talking about - Zoom. I've created rule that allows %USERPROFILE%\AppData\Roaming\Zoom\bin\Zoom.exe and %USERPROFILE%\AppData\Roaming\Zoom\bin\Zoom_launcher.exe, but this is not working and it can be seen in the Event Viewer that this app is being blocked by WFP by the implicit deny rule.
If adding specific host firewall rule with full path (C:\Users\<username>\AppData\Roaming\Zoom\bin\Zoom.exe - app is working as expected, but that does not cover all the user cases, as this path depends on the user logged into the computer.
Documentation says that it should be possible to user these environment variables: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...
"Enter the full path and name of a program you want the rule to apply to. If you use system variables in the path definition, you must re-enforce the policy on the endpoint every time the directories and/or system variables on the endpoint change."
Has anyone tried adding such a rules and did it succeed, is there any trick behind this?
