https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/564493#M5479 <P>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/315146">@Jim_Gabales</a>&nbsp;,&nbsp;</P> <P>&nbsp;</P> <P>Thank you for reaching out to the Live Community. We do have a feature in Cortex XDR which assist in backup management where we can enable or disable the automatic backup on Windows using VSS.&nbsp;</P> <P>&nbsp;</P> <P>You can find these settings in policy management&gt; Agent settings&gt; backup management. However, as far as I know we cannot take a backup of the endpoints on the Cortex XDR so that we can restore using it. We can only manage the enabling or disabling of the backup from the Cortex XDR. Thank you.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.</P> Mon, 06 Nov 2023 10:34:30 GMT abdrahman 2023-11-06T10:34:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/564411#M5477 <P>Hi LIVEcommunity,</P> <P>&nbsp;</P> <P>Is there a way for Cortex XDR to take the cleanest snapshot of windows so there is a point where we can rollback the endpoint after an attack?</P> <P>Windows has a feature called Volume Shadow Copy Service (VSS) but can Cortex XDR use this after a ransomware attack? What if the VSS is corrupted, how can Cortex XDR protect the VSS and rollback to the cleanest state of the endpoint?</P> <P>&nbsp;</P> <P>We are trying to compete with other product that has a feature like this, but I cannot find documentation stating how can Cortex XDR accomplish this task.</P> <P>&nbsp;</P> <P>I hope experts in this community can guide us. Thank you.</P> <P>&nbsp;</P> <P>- Jim</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Sun, 05 Nov 2023 05:40:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/564411#M5477 Jim_Gabales 2023-11-05T05:40:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/564493#M5479 <P>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/315146">@Jim_Gabales</a>&nbsp;,&nbsp;</P> <P>&nbsp;</P> <P>Thank you for reaching out to the Live Community. We do have a feature in Cortex XDR which assist in backup management where we can enable or disable the automatic backup on Windows using VSS.&nbsp;</P> <P>&nbsp;</P> <P>You can find these settings in policy management&gt; Agent settings&gt; backup management. However, as far as I know we cannot take a backup of the endpoints on the Cortex XDR so that we can restore using it. We can only manage the enabling or disabling of the backup from the Cortex XDR. Thank you.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.</P> Mon, 06 Nov 2023 10:34:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/564493#M5479 abdrahman 2023-11-06T10:34:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/565840#M5543 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/290451">@abdrahman</a> , I was looking at this new feature "Backup Management" and you explained that it works with the VSS.<BR />However, I listed the VSS writers and I do not see a Writer "Cortex XDR".</P> <P>Does it mean that the shadow copy driven by the agent has not been write ?</P> <P>I checked the Agent Settings profile and I can see that the option is Enabled.</P> <P>&nbsp;</P> <P>How can I check on the endpoint that the backup has been made by the agent ?</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>Benjamin</P> Wed, 15 Nov 2023 15:08:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/565840#M5543 benjamin_nogue 2023-11-15T15:08:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/565849#M5545 <P>I see, but can we automate the part of restoring it using the enabled shadowcopy? we have a remediation suggestion feature "restoring files", right? Will it trigger the shadow copy to be restored?&nbsp;</P> Wed, 15 Nov 2023 15:48:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/565849#M5545 Jim_Gabales 2023-11-15T15:48:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/1238660#M8749 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/182353">@benjamin_nogue</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/315146">@Jim_Gabales</a>&nbsp;<BR />Hello experts,&nbsp;<BR />Sorry for bothering you, this is an old thread, just came accros the same queries as you.</P> <P>Did you find out the answer ?</P> <P>&nbsp;</P> <P>it seems XDR will just "enabled" the VSS on the endpoints which relies on the default Schedule of the VSS volumn, XDR (is not a backup software) will not fire an VSS snapshot backup, i guess. please correct me if i'm wrong.</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 24 Sep 2025 12:17:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-to-take-the-cleanest-snapshot-of-windows-for-rollback/m-p/1238660#M8749 SeanDeHarris 2025-09-24T12:17:18Z