cancel
Showing results for 
Search instead for 
Did you mean: 

Who rated this post

L4 Transporter

Hi there-

 

The quarantine function is limited to PE's and DLL's and can be set in the malware profile.

dfalcon_0-1611845901152.png

 

Macros are different in that you would not want to quarantine the actual executable, which would be Word, Excel, etc.   For that reason, the specific file is what is terminated, while the Office application remains open.  Your option for a macro is simply to block.

dfalcon_1-1611846022008.png

 

BTP is also different.  When events occur on the endpoint, they are loaded into BTP memory.  From there, the event is compared to a list of built-in BTP rules and if one is triggered, it is terminated.  This cycle is repeated based on what is occurring.  For example, someone may be running Outlook.  That person receives and opens an email, then opens a Word attachment.  After the Word attachment is open, a macro is executed which is doing something it shouldn't.  BTP looks at each stage in this process and terminates once something matches a built-in BTP rule.  You cannot check BTP at rest since it is based on behavior in motion.


David Falcon 
Solutions Architect, Cortex
Palo Alto Networks® 
Who rated this post