Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L4 Transporter

Hi there-


The quarantine function is limited to PE's and DLL's and can be set in the malware profile.



Macros are different in that you would not want to quarantine the actual executable, which would be Word, Excel, etc.   For that reason, the specific file is what is terminated, while the Office application remains open.  Your option for a macro is simply to block.



BTP is also different.  When events occur on the endpoint, they are loaded into BTP memory.  From there, the event is compared to a list of built-in BTP rules and if one is triggered, it is terminated.  This cycle is repeated based on what is occurring.  For example, someone may be running Outlook.  That person receives and opens an email, then opens a Word attachment.  After the Word attachment is open, a macro is executed which is doing something it shouldn't.  BTP looks at each stage in this process and terminates once something matches a built-in BTP rule.  You cannot check BTP at rest since it is based on behavior in motion.

David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
Who rated this post