What does Palo Alto Networks Cortex XDR do first when an endpoint is asked to run an executable?
What does Palo Alto Networks Cortex XDR do first when an endpoint is asked to run an executable?
When an endpoint is asked to run an executable, Palo Alto Networks Cortex XDR first checks its execution policy. This ensures that the executable is allowed to run within the parameters set by the organization's security policies before any further action such as static or dynamic analysis is taken.
B. Phase 1: Evaluation of Child Process Protection Policy When a user attempts to run an executable, the operating system attempts to run the executable as a process. If the process tries to launch any child processes, the Cortex XDR agent first evaluates the child process protection policy.