topic Re: Cortex XDR Agent rollout strategy in Cortex XDR Discussions

Cortex XDR Agent rollout strategy

DougHolmes — Thu, 03 Jun 2021 19:09:20 GMT

We will be rolling out to production soon and we need to have full AV protection while Cortex XDR is in monitor mode for up to 2 weeks. The previous Cylance AV agent must be uninstalled prior to the Cortex agent being installed so running in parallel is not an option. Any thoughts on how other organizations have approached this or a recommend approach?

Thanks in advanced any suggestions,

Doug

Re: Cortex XDR Agent rollout strategy

gjenkins — Fri, 25 Jun 2021 15:48:48 GMT

@DougHolmes wrote:
We will be rolling out to production soon and we need to have full AV protection while Cortex XDR is in monitor mode for up to 2 weeks. The previous Cylance AV agent must be uninstalled prior to the Cortex agent being installed so running in parallel is not an option. Any thoughts on how other organizations have approached this or a recommend approach?

Thanks in advanced any suggestions,

Doug

Hi @DougHolmes ,

I understand that you are looking to uninstall your previous AV while the Cortex XDR Agent is in monitor mode. Could you elaborate on the reasoning behind uninstalling the previous AV? Also, could you provide more context around why the Cortex XDR agent cannot run in block mode to provide the required protection for that period? If any recommendation could be made here given the information provided, it would certainly be to install the Cortex XDR agent in block mode as there will be no other endpoint protection software available to stop malicious activities in their tracks. I hope that this helps.

Re: Cortex XDR Agent rollout strategy

jcandelaria — Fri, 25 Jun 2021 22:25:36 GMT

Hi Doug,

Hopefully my reply isnt that too late.. as you know XDR have compatibility issue with Cylance so yes, uninstall cylance before install xdr agent. And hopefully, you have done some canary group with no Cylance and XDR in block mode. That way at least you will get somewhere around 60-70% of the executables known to xdr and the rest, you can deal when incident triggers. Also when you remove cylance, usually the defender takes over if the xdr profile is set to report mode but once you switch to blocking mode then xdr will be registered as primary AV in security center.

What I've seen from some customer, remove the cylance, install xdr agent but only specific modules are in blocking mode while the rest are in report mode. That way the SOC doesnt get overwhelm with all new alerts at the same time.. then slowly switching each module to block mode. What i would suggest is get a good understanding of XDR agent as incident source as those are the ones that will get blocked and how to address them so that way even if you deploy xdr agent all modules in block mode, you can easily manage and address those incidents on the right away.

Re: Cortex XDR Agent rollout strategy

GarethDavies — Thu, 01 Jul 2021 03:55:57 GMT

Hello

Were currently doing the exact same thing, but through testing we have found while not officially compatible in the XDR docs XDR and Cylance can run side by side. We have found that in some server situations they don't work well together but Cylance has an undocumented (you can get it from cylance support) compatibility mode you can set in the windows registry that allows them to work side by side.

Re: Cortex XDR Agent rollout strategy

AViola — Fri, 07 Jan 2022 18:51:55 GMT

Hi Gareth.D

I have the same situation. Do you have the document about Cylance undocumented compatibility mode?