In Cortex XDR,Malware profilesdefine how the agent handles files for analysis, including whether they are uploaded to the cloud forWildFireanalysis or other cloud-based inspections. To prevent a specific executable from being uploaded to the cloud, the administrator can configure anexclusion rulein the Malware profile.
Exclusion rules allow specific files, directories, or patterns to be excluded from cloud analysis, ensuring they are not sent to the cloud while still allowing local analysis or other policy enforcement.
* Correct Answer Analysis (D):Creating anexclusion rulefor the executable in the Malware profile ensures that the specified file is not uploaded to the cloud for analysis. This can be done by specifying the file's name, hash, or path in the exclusion settings, preventing unnecessary cloud uploads while maintaining agent functionality for other files.
* Why not the other options?
* A. Disable on-demand file examination for the executable: Disabling on-demand file examination prevents the agent from analyzing the file at all, which could compromise security by bypassing local and cloud analysis entirely. This is not the intended solution.
* B. Set PE and DLL examination for the executable to report action mode: Setting examination to "report action mode" configures the agent to log actions without blocking or uploading, but it does not specifically prevent cloud uploads. This option is unrelated to controlling cloud analysis.
* C. Add the executable to the allow list for executions: Adding an executable to the allow list permits it to run without triggering prevention actions, but it does not prevent the file from being uploaded to the cloud for analysis.
Exact Extract or Reference:
TheCortex XDR Documentation Portalexplains Malware profile configuration: "Exclusion rules in Malware profiles allow administrators to specify files or directories that are excluded from cloud analysis, preventing uploads to WildFire or other cloud services" (paraphrased from the Malware Profile Configuration section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers agent configuration, stating that "exclusion rules can be used to prevent specific files from being sent to the cloud for analysis" (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes
"Cortex XDR agent configuration" as a key exam topic, encompassing Malware profile settings.
References:
Palo Alto Networks Cortex XDR Documentation Portal:https://docs-cortex.paloaltonetworks.com/ EDU-260: Cortex XDR Prevention and Deployment Course Objectives Palo Alto Networks Certified XDR Engineer Datasheet:https://www.paloaltonetworks.com/services/education
/certification#xdr-engineer