https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-file-examination-cross-platform-examination-for-linux/m-p/1255131#M9357 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159504">@andreal</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>In the local wf_verdicts.db SQLite database for Cortex XDR agents (including Linux and macOS), the verdict value '6' technically maps to UnsupportedFileType .</P> <P>&nbsp;</P> <P>WinSCP (using SFTP/SCP protocols) is considered a high-volume I/O process that can trigger the "noisy process" protection mechanism (LRU throttling) in Cortex XDR Agent 9.1.0 for Linux, potentially causing "On-Write File Examination" to be bypassed.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like&nbsp;</STRONG>and on&nbsp;<STRONG>"mark this as a Solution"</STRONG>.</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Mon, 01 Jun 2026 14:52:52 GMT susekar 2026-06-01T14:52:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-file-examination-cross-platform-examination-for-linux/m-p/1255130#M9356 <P>Dear LIVEcommunity</P> <P>&nbsp;</P> <P>Has anyone been able to test out the new Linux / MacOS cross-platform examination module? I created a new Linux Malware Profile and set the "On-write File Examination" for "Portable executable files (Windows)" to Enabled, applied it to a policy for my Linux endpoint, waited for the policy to apply and then copied a WildFire Test PE (Windows executable which should always trigger an alert) from a Windows to my Linux host via WinSCP. I did not get any Cortex XDR Alerts, and a manually initiated Cortex XDR malware scan on the Linux endpoint also did not detect the file. The Linux host has Cortex XDR Agent 9.1.0, the feature should be supported with version 8.9+</P> <P>&nbsp;</P> <P>A closer inspection of the "wf_verdicts.db" shows my WildFire Test PE Windows Executable has a Verdict with value 6, which I cannot find in the Log Format documentation (only values 0,1,2,4,99 are defined):&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Log-formats" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Log-formats</A>&nbsp;</P> <P>&nbsp;</P> <P>I'm curious to see if anyone was able to successfully test this feature.&nbsp;</P> Mon, 01 Jun 2026 14:42:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-file-examination-cross-platform-examination-for-linux/m-p/1255130#M9356 andreal 2026-06-01T14:42:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-file-examination-cross-platform-examination-for-linux/m-p/1255131#M9357 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159504">@andreal</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>In the local wf_verdicts.db SQLite database for Cortex XDR agents (including Linux and macOS), the verdict value '6' technically maps to UnsupportedFileType .</P> <P>&nbsp;</P> <P>WinSCP (using SFTP/SCP protocols) is considered a high-volume I/O process that can trigger the "noisy process" protection mechanism (LRU throttling) in Cortex XDR Agent 9.1.0 for Linux, potentially causing "On-Write File Examination" to be bypassed.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like&nbsp;</STRONG>and on&nbsp;<STRONG>"mark this as a Solution"</STRONG>.</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Mon, 01 Jun 2026 14:52:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-file-examination-cross-platform-examination-for-linux/m-p/1255131#M9357 susekar 2026-06-01T14:52:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-file-examination-cross-platform-examination-for-linux/m-p/1255132#M9358 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/241098">@susekar</a>&nbsp;</P> <P>&nbsp;</P> <P>I appreciate the quick response! Thanks for the insight in to the verdict value 6, very interesting.&nbsp;</P> <P>&nbsp;</P> <P>As the filetype is not supported, I upgraded to Cortex XDR Agent Version to 9.2.0 (because it's a feature from the latest release - I assume the on-write-protection is a feature for Cortex XDR Agent 8.9+ but cross-platform-examination only a 9.2.0 feature) and tried to re-produce the issue. Again, no alert was created.&nbsp;</P> <P>However, now the verdict value changed to '3' for the new file.&nbsp;</P> <P>&nbsp;</P> <P>Is there any other protocol I could use to test out the cross-platform-examination if WinSCP is bypassing the "On-Write File Examination"?&nbsp;</P> Mon, 01 Jun 2026 15:13:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/on-write-file-examination-cross-platform-examination-for-linux/m-p/1255132#M9358 andreal 2026-06-01T15:13:45Z