Cortex XDR

lprasad — Thu, 08 Dec 2022 23:47:31 GMT

Hi people,

1) I have installed the cortex XDR on end user PC and when I tried to scan email attachment on the end user PC I am not able to see any option to scan email attachment. I am a system Admin and I want the end user to scan email attachment with cortex. At present I have to download the attachment and do scan with cortex. I don't want to download this email attachment and scan the attachment whole without download. Any suggestion how can I make this scan with cortex comes when I right click on email attachment please.

2) How can I block and allow USB drive from Cortex management portal?

Re: Cortex XDR

NagaVenkatesh — Fri, 09 Dec 2022 13:39:02 GMT

Hello prasad.

If you aim is to block USB drive, you can configure that by creating a agent setting policy in the policy management pane.

Go to endpoint-->policy management --> choose your OS-->Agent settings--> Agent security.

Hope this helps.

Re: Cortex XDR

aleksandar.astardzhiev — Fri, 09 Dec 2022 15:42:37 GMT

Hi @lprasad ,

I would disagree with @NagaVenkatesh answer. Agent settings profile is generally defining XDR agent behavior (GUI interface, agent auto update, disk quota etc). Agent Security specifically define agent tampering protection - protect files, folders and processes used by the XDR agent from unauthorized modification or even opening/reading.

With Agent settings profile -> User interface you can define if end user will have the option for "scan with cortex xdr" when right click on a file (basically allowing on-demand file scan by end user).

I don't believe Cortex XDR is capable of scanning file attachment, without saving the file first, or opening it. I would say your requirement is little hard to achieve. Someone may correct me but my understanding is a follow:

- File is attached to email by encoding the file and adding it to the email body, which is simple text

- When Outlook sync with exchange and receive the email (with the attachment), this email is stored in the .ost file (Offline Outlook data file)

- Until this point the email attachment is not a file - from endpoint stand point of view.

- If user tried to open the attachment, Outlook will first decode the attachment and save it in temporal location and run it from there.

I don't have lot of experience with endpoint protections, but is hard for me to imagine that there is EDR/XDR which will allow you to scan attachment without saving it separately first.

Email security protection is more suitable for such task. Such product will inspect the email, before being received by the exchange.

You may have some success with firewall between endpoint and exchange, if you decrypt the traffic and email contain known virus/malware.

If you want to use Cortex XDR your only option (in my humble opinion) is:
- User receive the email

- User saves attachment as file

- User right click on a file and select "scan with cortex xdr" (I am not sure what exact wording was)

For this to work, your Malware profile -> Endpoint Scan -> "End-user initiated local scan" must be enabled (which is by default)

Regarding your second question regarding blocking USB drives. This is achievable by using Extensions profiles - Device Control • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Networks documentation portal

With extension profiles, you can block any USB and add some exceptions or, allow any USB and add exceptions.

Note this way you will block any use of USB drives being plugin to the endpoint.

Another way would be to use Restriction profile - Add a New Restrictions Security Profile • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal

Using Restriction profiles, you can allow USB drive to be plugin, but block/prevent any execution from the attached plugin.

topic Cortex XDR in Cortex XDR Discussions

Cortex XDR

Re: Cortex XDR

Re: Cortex XDR