An App-Embedded defender can't detect any behavior not through an entrypoint

An App-Embedded defender can't detect any behavior not through an entrypoint

4545
Created On 11/07/23 08:46 AM - Last Modified 01/29/25 06:28 AM


Symptom


  • When we log into a container and download a sample malware file, an App-Embedded defender can't detect it. (Example)
    1. Deploy an App-Embedded defender and a test container
    2. Login the test container 
    3. Run the "curl -o ./elf https://wildfire.paloaltonetworks.com/publicapi/test/elf"" command
  • Check the elf file wasn't detected
image.png
  • There is no information as to the above curl command.
image.png

 

Environment


  • Prisma Cloud Compute
  • App-Embedded (and fargate) defender

Cause


This behavior is by current design. 
An App-Embedded (and fargate) defender is tracking only the container's entrypoint (and all its descendant processes), so if you exec into the container - such events are not expected to be captured by the defender.

Resolution


There is no way/setting to change the current behavior.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xh8qCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language