topic Re: Cortex Scanning in Cortex XDR Discussions

Cortex Scanning

Conor_Dunne — Mon, 09 Jan 2023 09:10:24 GMT

Hi, I'm looking at doing a review on our Cortex policies and we currently have weekly scanning enabled. I know scanning for Cortex is not a traditional antivirus scan, but more for creating a benchmark for your endpoints.

After it does a scan, alerts get created from things that got raised from the scans. Some of our team members are concerned that if now IOCs or scanning criteria gets created, existing applications that have these criteria won't get scanned and picked up.

Does the baselines get crosschecked with these new criteria, or will they remain undetected until they are detected through actions?

Re: Cortex Scanning

nikoolayy1 — Mon, 09 Jan 2023 09:59:57 GMT

Cortex XDR can detect bad malware files and then to auto quarantine them if you have enabled this as Cortex XDR is EDR, Antivirus system and much more. Just start full scans to check everything and enable auto quarantine as shown below:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Manage-File-Execution

--------

When the agent detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When the agent quarantines malware, it moves the file from the location on a local or removable drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine) where it isolates the file. This prevents the file from attempting to run again from the same path or causing any harm to your endpoints.

To evaluate whether an executable file is considered malicious, the agent calculates a verdict using information from the following sources in order of priority:

Hash exception policy
WildFire threat intelligence
Local analysis

Quarantining a file in Cortex XDR can be done in one of two ways:

Enable the agent to automatically quarantine malicious executables by configuring quarantine settings in the Malware security profile.
Right-click a specific file from the causality card and select Quarantine.

View the quarantined files in your network.

Re: Cortex Scanning

Conor_Dunne — Mon, 09 Jan 2023 10:05:39 GMT

Thank you for the quick response.

With the malware detection, is this only during execution? If the hash of a malware gets added, but this malware already exists on the machine in a dormant state, are we waiting for execution for Cortex to pick it up, or when the malware hash gets added, will Cortex detect it as being installed?

Re: Cortex Scanning

nikoolayy1 — Mon, 09 Jan 2023 11:51:20 GMT

To catch bad new malware that is already installed better configure automatic periodic scans (like it is done for the normal antivirus software applications), maybe each week of each month (if the users complain atleast each month is a nice option 🙂 ) with auto quarantine option. Here is a nice discussion about this:

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/periodic-endpoint-scanning-report/td-p/525677

XDR uses also the wildfire cloud sandbox content service to catch malware, so this where the benifits come into play against normal antivirus, when you run scans. You may need to license this as to block even zero day malware:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Architecture

Also limit what a not detected malware can do configure also exploits and restrictions profiles to protect processes from the non detected malware and restrict the files. This way you can catch and stop zero day attacks (another EDR benefit compared to normal antivirus software):

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Exploit-Security-Profile

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Restrictions-Security-Profile