<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Protection Mode for Linux Modules in Cortex XDR Discussions</title>
    <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-mode-for-linux-modules/m-p/1257824#M9405</link>
    <description>&lt;P&gt;Hello&amp;nbsp;&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41187"&gt;@micomi&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Greetings for the day.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="qMYqUG_convSearchResultHighlightRoot"&gt;
&lt;DIV class="" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-0" data-is-intersecting="true"&gt;
&lt;SECTION class="text-token-text-primary w-full focus:outline-none has-data-writing-block:pointer-events-none [&amp;amp;:has([data-writing-block])&amp;gt;*]:pointer-events-auto R6Vx5W_threadScrollVars scroll-mb-[calc(var(--scroll-root-safe-area-inset-bottom,0px)+var(--thread-response-height))] scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn-id="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-0" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-0" data-testid="conversation-turn-168" data-turn="assistant"&gt;
&lt;DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"&gt;
&lt;DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn" data-conversation-screenshot-content=""&gt;
&lt;DIV class="flex max-w-full flex-col gap-4 grow"&gt;
&lt;DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;amp;]:mt-1" dir="auto" tabindex="0" data-message-author-role="assistant" data-message-id="1de68624-759a-4478-9b2b-9c10c1ec5845" data-message-model-slug="gpt-5-5" data-turn-start-message="true"&gt;
&lt;DIV class="flex w-full flex-col gap-1 empty:hidden"&gt;
&lt;DIV class="markdown prose dark:prose-invert wrap-break-word w-full dark markdown-new-styling"&gt;
&lt;P class="PDq2pG_selectionAnchorContainer" data-start="0" data-end="368"&gt;The configuration of &lt;STRONG data-start="21" data-end="33"&gt;"Normal"&lt;/STRONG&gt; and &lt;STRONG data-start="38" data-end="54"&gt;"Aggressive"&lt;/STRONG&gt; protection modes for &lt;STRONG data-start="76" data-end="104"&gt;Reverse Shell Protection&lt;/STRONG&gt; and &lt;STRONG data-start="109" data-end="153"&gt;Malicious Child Process Protection (C01)&lt;/STRONG&gt; on Linux follows the general Cortex XDR logic of balancing detection sensitivity against system stability, though the specific technical implementation differs significantly from the Windows Anti-Ransomware module.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;H4 data-section-id="k6wa9h" data-start="370" data-end="417"&gt;Comparison to Windows Ransomware Protection:&lt;/H4&gt;
&lt;P data-start="419" data-end="585"&gt;While the labels &lt;STRONG data-start="436" data-end="448"&gt;"Normal"&lt;/STRONG&gt; and &lt;STRONG data-start="453" data-end="469"&gt;"Aggressive"&lt;/STRONG&gt; are identical to those found in the Windows Ransomware Protection module, the underlying mechanism is not the same.&lt;/P&gt;
&lt;UL data-start="587" data-end="1025"&gt;
&lt;LI data-section-id="1vwyrar" data-start="587" data-end="791"&gt;&lt;STRONG data-start="589" data-end="623"&gt;Windows Ransomware Protection:&lt;/STRONG&gt; Uses a deception mechanism involving decoy files (honeypots). &lt;STRONG data-start="686" data-end="700"&gt;Aggressive&lt;/STRONG&gt; mode increases sensitivity by exposing more applications and folders to these decoy files.&lt;/LI&gt;
&lt;LI data-section-id="19p8am0" data-start="792" data-end="1025"&gt;&lt;STRONG data-start="794" data-end="823"&gt;Linux Protection Modules:&lt;/STRONG&gt; The Linux Reverse Shell and Malicious Child Process modules do not utilize decoy files or honeypots. Instead, they rely on behavioral rules, real-time process monitoring, and kernel-level interception.&lt;BR /&gt;&lt;BR /&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 data-section-id="1jmy8kl" data-start="1027" data-end="1072"&gt;Technical Differences in Protection Modes:&lt;/H4&gt;
&lt;P data-start="1074" data-end="1234"&gt;In the absence of specific Linux-module documentation, the operational differences are inferred from the general behavior of these settings within the platform:&lt;/P&gt;
&lt;UL data-start="1236" data-end="1734"&gt;
&lt;LI data-section-id="1flybfr" data-start="1236" data-end="1461"&gt;&lt;STRONG data-start="1238" data-end="1264"&gt;Normal Mode (Default):&lt;/STRONG&gt; This mode is optimized for production stability and minimizing false positives. It uses baseline behavioral thresholds and rule sets designed to minimize interference with legitimate applications.&lt;/LI&gt;
&lt;LI data-section-id="pf1dag" data-start="1463" data-end="1734"&gt;&lt;STRONG data-start="1465" data-end="1485"&gt;Aggressive Mode:&lt;/STRONG&gt; This mode increases the security posture by enabling more sensitive detection parameters. While it provides broader coverage against evasive threats, it also carries a higher risk of false positives and may have a greater impact on user experience.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="1736" data-end="1908" data-is-last-node="" data-is-only-node=""&gt;The specific rule thresholds or sensitivity adjustments that differentiate &lt;STRONG data-start="1811" data-end="1821"&gt;Normal&lt;/STRONG&gt; from &lt;STRONG data-start="1827" data-end="1841"&gt;Aggressive&lt;/STRONG&gt; mode for these Linux-specific modules are not publicly documented.&lt;/P&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;DIV class="z-0 flex min-h-[46px] justify-start"&gt;&amp;nbsp;&lt;/DIV&gt;
&lt;DIV class="z-0 flex min-h-[46px] justify-start"&gt;
&lt;P&gt;If you feel this has answered your query, please let us know by clicking&amp;nbsp;&lt;STRONG&gt;like&amp;nbsp;&lt;/STRONG&gt;and on&amp;nbsp;&lt;STRONG&gt;"mark this as a Solution"&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Thanks &amp;amp; Regards,&lt;BR /&gt;S. Subashkar Sekar&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/DIV&gt;
&lt;DIV class="mt-3 w-full empty:hidden"&gt;
&lt;DIV class="text-center"&gt;&amp;nbsp;&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/SECTION&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;DIV class="pointer-events-none -mt-px h-px translate-y-[calc(var(--scroll-root-safe-area-inset-bottom)-14*var(--spacing))]" aria-hidden="true"&gt;&amp;nbsp;&lt;/DIV&gt;</description>
    <pubDate>Tue, 30 Jun 2026 21:44:21 GMT</pubDate>
    <dc:creator>susekar</dc:creator>
    <dc:date>2026-06-30T21:44:21Z</dc:date>
    <item>
      <title>Protection Mode for Linux Modules</title>
      <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-mode-for-linux-modules/m-p/1257755#M9404</link>
      <description>&lt;P&gt;When configuring&amp;nbsp;Reverse Shell Protection and&amp;nbsp;&lt;SPAN class="frame-title"&gt;Malicious Child Process Protection there's an option to configure the protection mode. Default is "normal" but we could choose "aggressive" too.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN class="frame-title"&gt;There's no documentation.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN class="frame-title"&gt;Does anyone know the difference of protection modes for these Linux modules?&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;Is it the same as in the ransomware protection module for Windows?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="micomi_0-1782802979178.png" style="width: 400px;"&gt;&lt;img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71905i91BB639FCE2F5F6C/image-size/medium?v=v2&amp;amp;px=400" role="button" title="micomi_0-1782802979178.png" alt="micomi_0-1782802979178.png" /&gt;&lt;/span&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 07:03:09 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-mode-for-linux-modules/m-p/1257755#M9404</guid>
      <dc:creator>micomi</dc:creator>
      <dc:date>2026-06-30T07:03:09Z</dc:date>
    </item>
    <item>
      <title>Re: Protection Mode for Linux Modules</title>
      <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-mode-for-linux-modules/m-p/1257824#M9405</link>
      <description>&lt;P&gt;Hello&amp;nbsp;&amp;nbsp;&lt;a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41187"&gt;@micomi&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Greetings for the day.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;DIV class="qMYqUG_convSearchResultHighlightRoot"&gt;
&lt;DIV class="" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-0" data-is-intersecting="true"&gt;
&lt;SECTION class="text-token-text-primary w-full focus:outline-none has-data-writing-block:pointer-events-none [&amp;amp;:has([data-writing-block])&amp;gt;*]:pointer-events-auto R6Vx5W_threadScrollVars scroll-mb-[calc(var(--scroll-root-safe-area-inset-bottom,0px)+var(--thread-response-height))] scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn-id="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-0" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-0" data-testid="conversation-turn-168" data-turn="assistant"&gt;
&lt;DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"&gt;
&lt;DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn" data-conversation-screenshot-content=""&gt;
&lt;DIV class="flex max-w-full flex-col gap-4 grow"&gt;
&lt;DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;amp;]:mt-1" dir="auto" tabindex="0" data-message-author-role="assistant" data-message-id="1de68624-759a-4478-9b2b-9c10c1ec5845" data-message-model-slug="gpt-5-5" data-turn-start-message="true"&gt;
&lt;DIV class="flex w-full flex-col gap-1 empty:hidden"&gt;
&lt;DIV class="markdown prose dark:prose-invert wrap-break-word w-full dark markdown-new-styling"&gt;
&lt;P class="PDq2pG_selectionAnchorContainer" data-start="0" data-end="368"&gt;The configuration of &lt;STRONG data-start="21" data-end="33"&gt;"Normal"&lt;/STRONG&gt; and &lt;STRONG data-start="38" data-end="54"&gt;"Aggressive"&lt;/STRONG&gt; protection modes for &lt;STRONG data-start="76" data-end="104"&gt;Reverse Shell Protection&lt;/STRONG&gt; and &lt;STRONG data-start="109" data-end="153"&gt;Malicious Child Process Protection (C01)&lt;/STRONG&gt; on Linux follows the general Cortex XDR logic of balancing detection sensitivity against system stability, though the specific technical implementation differs significantly from the Windows Anti-Ransomware module.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;H4 data-section-id="k6wa9h" data-start="370" data-end="417"&gt;Comparison to Windows Ransomware Protection:&lt;/H4&gt;
&lt;P data-start="419" data-end="585"&gt;While the labels &lt;STRONG data-start="436" data-end="448"&gt;"Normal"&lt;/STRONG&gt; and &lt;STRONG data-start="453" data-end="469"&gt;"Aggressive"&lt;/STRONG&gt; are identical to those found in the Windows Ransomware Protection module, the underlying mechanism is not the same.&lt;/P&gt;
&lt;UL data-start="587" data-end="1025"&gt;
&lt;LI data-section-id="1vwyrar" data-start="587" data-end="791"&gt;&lt;STRONG data-start="589" data-end="623"&gt;Windows Ransomware Protection:&lt;/STRONG&gt; Uses a deception mechanism involving decoy files (honeypots). &lt;STRONG data-start="686" data-end="700"&gt;Aggressive&lt;/STRONG&gt; mode increases sensitivity by exposing more applications and folders to these decoy files.&lt;/LI&gt;
&lt;LI data-section-id="19p8am0" data-start="792" data-end="1025"&gt;&lt;STRONG data-start="794" data-end="823"&gt;Linux Protection Modules:&lt;/STRONG&gt; The Linux Reverse Shell and Malicious Child Process modules do not utilize decoy files or honeypots. Instead, they rely on behavioral rules, real-time process monitoring, and kernel-level interception.&lt;BR /&gt;&lt;BR /&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 data-section-id="1jmy8kl" data-start="1027" data-end="1072"&gt;Technical Differences in Protection Modes:&lt;/H4&gt;
&lt;P data-start="1074" data-end="1234"&gt;In the absence of specific Linux-module documentation, the operational differences are inferred from the general behavior of these settings within the platform:&lt;/P&gt;
&lt;UL data-start="1236" data-end="1734"&gt;
&lt;LI data-section-id="1flybfr" data-start="1236" data-end="1461"&gt;&lt;STRONG data-start="1238" data-end="1264"&gt;Normal Mode (Default):&lt;/STRONG&gt; This mode is optimized for production stability and minimizing false positives. It uses baseline behavioral thresholds and rule sets designed to minimize interference with legitimate applications.&lt;/LI&gt;
&lt;LI data-section-id="pf1dag" data-start="1463" data-end="1734"&gt;&lt;STRONG data-start="1465" data-end="1485"&gt;Aggressive Mode:&lt;/STRONG&gt; This mode increases the security posture by enabling more sensitive detection parameters. While it provides broader coverage against evasive threats, it also carries a higher risk of false positives and may have a greater impact on user experience.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-start="1736" data-end="1908" data-is-last-node="" data-is-only-node=""&gt;The specific rule thresholds or sensitivity adjustments that differentiate &lt;STRONG data-start="1811" data-end="1821"&gt;Normal&lt;/STRONG&gt; from &lt;STRONG data-start="1827" data-end="1841"&gt;Aggressive&lt;/STRONG&gt; mode for these Linux-specific modules are not publicly documented.&lt;/P&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;DIV class="z-0 flex min-h-[46px] justify-start"&gt;&amp;nbsp;&lt;/DIV&gt;
&lt;DIV class="z-0 flex min-h-[46px] justify-start"&gt;
&lt;P&gt;If you feel this has answered your query, please let us know by clicking&amp;nbsp;&lt;STRONG&gt;like&amp;nbsp;&lt;/STRONG&gt;and on&amp;nbsp;&lt;STRONG&gt;"mark this as a Solution"&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Thanks &amp;amp; Regards,&lt;BR /&gt;S. Subashkar Sekar&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;/DIV&gt;
&lt;DIV class="mt-3 w-full empty:hidden"&gt;
&lt;DIV class="text-center"&gt;&amp;nbsp;&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;/SECTION&gt;
&lt;/DIV&gt;
&lt;/DIV&gt;
&lt;DIV class="pointer-events-none -mt-px h-px translate-y-[calc(var(--scroll-root-safe-area-inset-bottom)-14*var(--spacing))]" aria-hidden="true"&gt;&amp;nbsp;&lt;/DIV&gt;</description>
      <pubDate>Tue, 30 Jun 2026 21:44:21 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/protection-mode-for-linux-modules/m-p/1257824#M9405</guid>
      <dc:creator>susekar</dc:creator>
      <dc:date>2026-06-30T21:44:21Z</dc:date>
    </item>
  </channel>
</rss>

