What does Palo Alto Networks Cortex XDR do first when an endpoint is asked to run an executable?
Correct Answer: C
Palo Alto Networks Cortex XDR is an extended detection and response platform that provides endpoint protection, threat detection, and incident response capabilities. When an endpoint is asked to run an executable, Cortex XDR does the following steps1:
First, it sends the executable to WildFire, a cloud-based malware analysis and prevention service, to determine if it is malicious or benign. WildFire uses static and dynamic analysis, machine learning, and threat intelligence to analyze the executable and provide a verdict in seconds2.
Next, it checks the execution policy, which is a set of rules that define what actions are allowed or blocked on the endpoint. The execution policy can be configured by the administrator to enforce granular control over the endpoint behavior3.
Then, it runs a static analysis, which is a technique that examines the executable without executing it. Static analysis can identify malicious indicators, such as file signatures, hashes, strings, and embedded resources4.
Finally, it runs a dynamic analysis, which is a technique that executes the executable in a sandboxed environment and monitors its behavior. Dynamic analysis can detect malicious activities, such as network connections, registry changes, file modifications, and process injections4.
Reference:
Cortex XDR Endpoint Protection Overview
WildFire Overview
[Execution Policy]
[Static and Dynamic Analysis]