https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ransomware-protection-aggressive-mode-amp-resource/m-p/999402#M7624 <P>Hello Community,</P> <P>&nbsp;</P> <P>I have a question regarding Cortex XDR in Aggressive Mode. During my testing, I noticed that it significantly impacts my machine's performance, as the Cortex XDR agent continuously analyzes the behavior of benign software, such as browsers.</P> <P>To optimize resource usage and performance, is it possible for Cortex XDR to analyze the behavior of benign software over an extended period (e.g., a month), establish a baseline, and then minimize or stop analyzing that software unless a deviation occurs?</P> <P>Does Cortex XDR offer a policy or configuration to support this kind of adaptive analysis, or are there other recommendations to mitigate resource usage in Aggressive Mode?</P> <P>Thank you for your insights!</P> <P>&nbsp;</P> <P>#contex_xdr</P> <P>#aggressive_mode</P> Tue, 24 Dec 2024 07:40:42 GMT H.Zaw245320 2024-12-24T07:40:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ransomware-protection-aggressive-mode-amp-resource/m-p/999402#M7624 <P>Hello Community,</P> <P>&nbsp;</P> <P>I have a question regarding Cortex XDR in Aggressive Mode. During my testing, I noticed that it significantly impacts my machine's performance, as the Cortex XDR agent continuously analyzes the behavior of benign software, such as browsers.</P> <P>To optimize resource usage and performance, is it possible for Cortex XDR to analyze the behavior of benign software over an extended period (e.g., a month), establish a baseline, and then minimize or stop analyzing that software unless a deviation occurs?</P> <P>Does Cortex XDR offer a policy or configuration to support this kind of adaptive analysis, or are there other recommendations to mitigate resource usage in Aggressive Mode?</P> <P>Thank you for your insights!</P> <P>&nbsp;</P> <P>#contex_xdr</P> <P>#aggressive_mode</P> Tue, 24 Dec 2024 07:40:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ransomware-protection-aggressive-mode-amp-resource/m-p/999402#M7624 H.Zaw245320 2024-12-24T07:40:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ransomware-protection-aggressive-mode-amp-resource/m-p/999966#M7645 <P><SPAN>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56476653">@H.Zaw245320</a>&nbsp;</SPAN><BR /><BR /><SPAN>Thanks for your query on LC!</SPAN></P> <P>&nbsp;</P> <P><SPAN>Generally,&nbsp;&nbsp;we are not recommending to keep Aggressive Mode enabled always to avoid of this type of scenarios and also aggressive mode may make the decoy files distribute to many directries aggressively and be visible to users as well which may cause tampering attempts as well.</SPAN></P> <P><SPAN>&nbsp;Aggressive mode is part of ransomeware detection and this feature is designed for a scenarios where if user suspects that there is an infection they can enable it in such a scenario but should be disabled after.incase of customer is thinking that there is an infection they can enable it but should be disabled after.<BR /><BR /></SPAN></P> <DIV id="GV7HMNV2B-1735809404.252849-thread-list-Thread_1735813802.304769" class="c-virtual_list__item" tabindex="0" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1735813802.304769"> <DIV class="c-message_kit__background c-message_kit__message c-message_kit__thread_message" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--above"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">Q- is it possible for Cortex XDR to analyze the behavior of benign software over an extended period (e.g., a month), establish a baseline, and then minimize or stop analyzing that software unless a deviation occurs?<BR />A -&nbsp; This may not be possible. The request is similar to our analytic engine over backend server but XDR Agent does not do this kind of processing on the agent bcz it requires so much data and time and processing power. Thats why we have analytics.</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <DIV id="GV7HMNV2B-1735809404.252849-thread-list-Thread_1735813870.886019" class="c-virtual_list__item" tabindex="-1" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1735813870.886019"> <DIV class="c-message_kit__background c-message_kit__background--hovered c-message_kit__message c-message_kit__thread_message" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover c-message_kit__hover--hovered" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--above"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__left" role="presentation"> <DIV class="p-thread_compact_gutter_generic p-thread_compact_gutter_generic--adjacent" data-qa="thread_compact_gutter">&nbsp;</DIV> </DIV> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <DIV class="p-rich_text_section">Q - Does Cortex XDR offer a policy or configuration to support this kind of adaptive analysis, or are there other recommendations to mitigate resource usage in Aggressive Mode?<BR />A - We have Adaptive Policy (APEX) and Apex checks rules, modules etc built in with agent that monitors the overall resource consumptions in general but not specific/relevant to this feature. The option would be to&nbsp;disable aggressive mode and not to keep enabled in general as explained above.<BR /><BR /><SPAN>Give it a like and mark as solution if this helped.</SPAN><BR /><BR /></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <P><SPAN>Best,<BR /><BR /></SPAN></P> Thu, 02 Jan 2025 10:58:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-ransomware-protection-aggressive-mode-amp-resource/m-p/999966#M7645 nar 2025-01-02T10:58:59Z