Exploit Protection Rules

An exploit protection rule uses exploit protection modules (EPMs) to protect processes in your organization from specific exploitation techniques. An EPM is a code module that you activate for one or more processes to prevent attacks on program vulnerabilities related to memory corruption or logic flaws.
The default security policy contains a preconfigured set of exploit protection rules that are activated for commonly used protected processes. You can also add additional applications that are important to your organization to the list of protected or provisional processes and then configure additional exploit protection rules. For example, to protect two processes that your organization uses (for example, ProcessA.exe and ProcessB.exe) from a specific type of memory corruption attack called return oriented programming (ROP), you can add the processes to the protected processes list and then create an exploit protection rule that activates the ROP Mitigation EPM. When a user opens a file or URL, the Traps agent injects code into the protected process or processes involved in opening the file and activates the EPM. If the file contains code designed to exploit APIs used in ROP chains, Traps blocks the memory corruption attack. When a security event triggers a prevention, the Traps agent also takes a snapshot of the memory for subsequent forensic investigation.
On a regular basis, the Traps agent retrieves the latest security policy from the ESM Server. The security policy determines which processes Traps protects and the type of EPM that Traps activates to protect the process.
View a summary of exploit protection rules on the PoliciesExploitProtection Modules page. Selecting a rule on the page displays further information about the rule and other actions that you can take on the rule (Delete, Activate/Deactivate, or Edit).
Consult with Palo Alto Networks Support before making any changes to the EPMs in security policy rules.

Related Documentation