topic Re: Periodic Scan on endpoints in Cortex XDR Discussions

Periodic Scan on endpoints

RamyashreeMada — Thu, 05 Jan 2023 06:32:33 GMT

Hello,

We intend to initiate malware scans on all endpoints. Which is the best approach to perform a periodic scan, is that on a weekly or monthly basis?

Re: Periodic Scan on endpoints

mavraham — Thu, 05 Jan 2023 11:49:34 GMT

Hi @RamyashreeMada, thank you for writing to Live Community.

Unfortunately we can not determine for you what is the best approach here. You should look into your organization's internal procedures, as well as regulatory requirements to determine the frequency of scanning.

Re: Periodic Scan on endpoints

aleksandar.astardzhiev — Tue, 17 Jan 2023 09:43:32 GMT

Hi @RamyashreeMada ,

I would agree with @mavraham, that this really depends on your organization and security standards.

One think that I want to point out, which is often missed when discussing malware scan - Cortex XDR Malware scan follow the exact same steps of pre-execution protection.

If you recall Pre-Execution protection perform the following checks, when attempting to execute process/file :

- Check if file hash is in allow/block list

- Check if file is signed by trusted/untrusted signer

- Query wildfire for verdict

- If WF verdict is uknown (wf is unreachable) local analysis check is performed

Malware scan perform exact same checks, except for the local analysis, but without the file being executed.

In addition when malware scan is executed and it send the file hash to WildFire for verdict it will keep this verdict in local cache, which means is this file is later executed agent will use the verdict for the cache instead of querying WF again