https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/file-server-backup-server-and-storage-server-profiles/m-p/404808#M709 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;wrote:<BR /><P>Hi,</P><P>&nbsp;</P><P>we are about to activate Cortex XDR agent with Default Policy Rules (i.e. Default Exploit, Malware, Restrictions, Agent settings and Exceptions profiles) on some Windows servers which contain a huge amount of data (terabytes).</P><P>&nbsp;</P><P>Are there some recommended best practices to follow or some functionalities that should be disabled in order to avoid any kind of impact on these kind of servers in terms of performances?</P><P>For example, we were told that "File Search and Destroy" feature could cause a huge overhead for some time after the agent has been activated.</P><P>&nbsp;</P><P>Furthermore, can anyone provide an estimate of how long a Cortex XDR malware scan on 1 TB of data might take?</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;,<BR /><BR />As I understand it, you're planning to deploy the Cortex XDR to a Windows server that houses a considerable amount of data. There are some considerations to make:</P><OL><LI>Install the Cortex XDR agent during a maintenance window.</LI><LI>After the installation, prepare for an immediate malware scan to follow.</LI><LI>Schedule scans during off-periods when the server will not be in use <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-profiles/add-malware-security-profile.html#id17AHD0R70XX" target="_blank">as described here</A>.</LI></OL><P><STRONG>Note:</STRONG> Subsequent scans will be faster as the agent will not rescan unmodified files.<BR /><BR />As for the amount of time that a scan could take, this is variable depending upon the system resources available and the size of the file, so there's no way to provide an estimate at this time. Predicting an estimated amount to scan a target fully would be an excellent feature, which should be submitted as a feature request for future consideration.<BR /><BR />Finally, Search and Destroy performs a hash match in the cloud for all devices noted to have a file with that hash on the endpoint (Search). Then it sends a delete job to remove the target file from the filesystem on the target endpoint (Destroy). There's no major resource utilization expected on the endpoint during this process, as the endpoint will only be tasked with deleting the target file if it exists.</P> Tue, 04 May 2021 18:55:04 GMT gjenkins 2021-05-04T18:55:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/file-server-backup-server-and-storage-server-profiles/m-p/403045#M699 <P>Hi,</P><P>&nbsp;</P><P>we are about to activate Cortex XDR agent with Default Policy Rules (i.e. Default Exploit, Malware, Restrictions, Agent settings and Exceptions profiles) on some Windows servers which contain a huge amount of data (terabytes).</P><P>&nbsp;</P><P>Are there some recommended best practices to follow or some functionalities that should be disabled in order to avoid any kind of impact on these kind of servers in terms of performances?</P><P>For example, we were told that "File Search and Destroy" feature could cause a huge overhead for some time after the agent has been activated.</P><P>&nbsp;</P><P>Furthermore, can anyone provide an estimate of how long a Cortex XDR malware scan on 1 TB of data might take?</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P> Wed, 28 Apr 2021 14:53:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/file-server-backup-server-and-storage-server-profiles/m-p/403045#M699 MCereda 2021-04-28T14:53:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/file-server-backup-server-and-storage-server-profiles/m-p/404808#M709 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;wrote:<BR /><P>Hi,</P><P>&nbsp;</P><P>we are about to activate Cortex XDR agent with Default Policy Rules (i.e. Default Exploit, Malware, Restrictions, Agent settings and Exceptions profiles) on some Windows servers which contain a huge amount of data (terabytes).</P><P>&nbsp;</P><P>Are there some recommended best practices to follow or some functionalities that should be disabled in order to avoid any kind of impact on these kind of servers in terms of performances?</P><P>For example, we were told that "File Search and Destroy" feature could cause a huge overhead for some time after the agent has been activated.</P><P>&nbsp;</P><P>Furthermore, can anyone provide an estimate of how long a Cortex XDR malware scan on 1 TB of data might take?</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;,<BR /><BR />As I understand it, you're planning to deploy the Cortex XDR to a Windows server that houses a considerable amount of data. There are some considerations to make:</P><OL><LI>Install the Cortex XDR agent during a maintenance window.</LI><LI>After the installation, prepare for an immediate malware scan to follow.</LI><LI>Schedule scans during off-periods when the server will not be in use <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-security-profiles/add-malware-security-profile.html#id17AHD0R70XX" target="_blank">as described here</A>.</LI></OL><P><STRONG>Note:</STRONG> Subsequent scans will be faster as the agent will not rescan unmodified files.<BR /><BR />As for the amount of time that a scan could take, this is variable depending upon the system resources available and the size of the file, so there's no way to provide an estimate at this time. Predicting an estimated amount to scan a target fully would be an excellent feature, which should be submitted as a feature request for future consideration.<BR /><BR />Finally, Search and Destroy performs a hash match in the cloud for all devices noted to have a file with that hash on the endpoint (Search). Then it sends a delete job to remove the target file from the filesystem on the target endpoint (Destroy). There's no major resource utilization expected on the endpoint during this process, as the endpoint will only be tasked with deleting the target file if it exists.</P> Tue, 04 May 2021 18:55:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/file-server-backup-server-and-storage-server-profiles/m-p/404808#M709 gjenkins 2021-05-04T18:55:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/file-server-backup-server-and-storage-server-profiles/m-p/405997#M729 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170102">@MCereda</a>&nbsp;</P><P>&nbsp;</P><P>If those are production servers I will suggest deploying the agents with a profile configured to 'Report' instead of Block, give it a week to collect alerts and activities from those servers, and monitor the triggered alerts on the hosts. in case you are seeing FP's perform the appropriate exclusions and once you feel comfortable with moving to 'Block' mode please do so.</P><P>&nbsp;</P><P>Thanks,&nbsp;</P> Tue, 11 May 2021 09:57:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/file-server-backup-server-and-storage-server-profiles/m-p/405997#M729 mabutbul 2021-05-11T09:57:46Z