Cortex XDR
Advanced Endpoint Protection

Palo Alto Cortex XDR - Advanced Endpoint Protection

Palo Alto Cortex XDR advanced endpoint protection stops threats on the endpoint and coordinates enforcement with cloud and network security to prevent successful cyberattacks. As a lightweight agent, Cortex XDR minimizes endpoint infections by blocking malware, exploits and ransomware. It can be used for Windows®, macOS®, Android® and Linux operating systems, and can be managed on-premises or from the cloud.

Multiple methods of malware prevention

Cortex XDR prevents the execution of malicious files with an approach tailored to combat both traditional and modern attacks. Additionally, administrators can utilize periodic scanning to identify dormant threats, comply with regulatory requirements and accelerate incident response with endpoint context.

Palo Alto Cortex XDR - Prevention Methods
Palo Alto Cortex XDR - Endpoint Prevention

Threat intelligence

Cortex XDR leverages the intelligence obtained from tens of thousands of subscribers to the WildFire malware prevention service to continuously aggregate threat data and maintain the collective immunity of all users across endpoints, networks and cloud applications. Cortex XDR queries WildFire, and WildFire returns a near-instantaneous verdict on whether the file is malicious or benign. If the file is unknown, Cortex XDR proceeds with additional prevention techniques to determine whether it is a threat that should be terminated.

Local analysis via machine learning

If a file remains unknown after the initial hash lookup and has not been identified by administrators, Cortex XDR uses local analysis via machine learning on the endpoint – trained by the rich threat intelligence of WildFire – to determine whether the file can run, even before receiving a verdict from the deeper WildFire inspection.

Dynamic analysis

In addition to local analysis, Cortex XDR sends unknown files to WildFire for discovery and deeper analysis to rapidly detect potentially unknown malware. WildFire uses independent techniques for high-fidelity and evasion-resistant discovery. These are:

Static analysis via machine learning – a more powerful version of local analysis, based in the cloud, that detects known threats by analyzing the characteristics of samples prior to execution.
Dynamic analysis – a custom-built, evasion-resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior.
Bare metal analysis – a hardware-based analysis environment specifically designed for advanced threats that exhibit highly evasive characteristics and can detect virtual analysis.

Malicious process prevention

Cortex XDR prevents script-based and fileless attacks by default with out-of-the-box, fine-grained controls over the launching of legitimate applications, such as script engines and command shells.

Ransomware protection

In addition to existing multi-method prevention measures, including exploit prevention, local analysis and WildFire, Cortex XDR monitors the system for ransomware behavior. Upon detection, it immediately blocks attacks and prevents encryption of customer data.

Multiple methods of exploit prevention

Cortex XDR is unique for its ability to prevent exploits through technique identification and a protection focused model. Cortex XDR targets the techniques that any exploit-based attack must use to manipulate a software vulnerability.

Palo Alto Cortex XDR - Exploit Prevention

By preventing these techniques, Cortex XDR is able to protect unpatched systems, unsupported legacy systems, applications IT is unaware of – commonly known as shadow IT – and never-before-seen exploits, also called zero-day exploits.

Cortex XDR delivers exploit prevention using multiple methods, including:

  • Pre-exploit protection: Cortex XDR prevents the vulnerability-profiling techniques exploit kits use prior to launching attacks. By blocking these techniques, Cortex XDR prevents attackers from targeting vulnerable endpoints and applications, effectively preventing the attacks before they begin.
  • Technique-based exploit prevention: Cortex XDR prevents known, zero-day and unpatched vulnerabilities by blocking the exploitation techniques attackers use to manipulate applications.
  • Kernel exploit prevention: Cortex XDR prevents exploits that leverage vulnerabilities in the operating system kernel to create processes with escalated privileges. Cortex XDR also protects against new exploit techniques used to execute malicious payloads, such as those seen in 2017’s WannaCry and NotPetya attacks.

By blocking the techniques, Cortex XDR provides customers three important benefits:

  1. Protects unpatchable applications and shadow IT.
  2. Minimizes the risks associated with delayed patching.
  3. Prevents zero-day exploits from succeeding.

Besides malware and exploit prevention, Cortex XDR is also capable of:

  • Scanning: Administrators can scan endpoints and attached removable drives for dormant malware, with an option to automatically quarantine it for remediation when found.
  • Admin override policies: Cortex XDR enables organizations to define policies based on the hash of an executable file, controlling what is or isn’t allowed to run in their environments.
  • Malware quarantine: Cortex XDR is capable of immediately quarantining malicious executable files, DLLs and Office files to prevent propagation or execution attempts of infected files.
  • Grayware classification: Cortex XDR enables organizations to identify non-malicious but otherwise undesirable software, such as adware, and prevent it from running in their environments.
  • Execution restrictions: Cortex XDR enables organizations to easily define policies to restrict specific execution scenarios to reduce the attack surface of any environment.