<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Cortex XDR agent protection after 90 days of inactive in Cortex XDR Discussions</title>
    <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-protection-after-90-days-of-inactive/m-p/1258053#M9419</link>
    <description>&lt;P&gt;Small correction on the numbers&amp;nbsp; ----&amp;gt; 90 days is the &lt;EM&gt;retention&lt;/EM&gt; window after an endpoint is manually deleted from the console, not the inactivity trigger. Pure inactivity works differently: standard agents auto-delete after &lt;STRONG&gt;180 days&lt;/STRONG&gt; of no check-in, VDI/TS agents after just 6 hours. So on day 91 your agent isn't gone, it's just quiet.&lt;/P&gt;
&lt;P&gt;While it's disconnected, prevention doesn't stop — exploit protection, restriction rules, child-process protection etc. all enforce locally on the endpoint regardless of connectivity. For malware verdicts specifically, the agent falls back to its local hash cache + Local Analysis (its own on-box ML/pattern engine) instead of querying WildFire. So it's not "defenseless," it's just working off last-known intel until it reconnects.&lt;/P&gt;</description>
    <pubDate>Sat, 04 Jul 2026 19:26:11 GMT</pubDate>
    <dc:creator>H.Eldessouki</dc:creator>
    <dc:date>2026-07-04T19:26:11Z</dc:date>
    <item>
      <title>Cortex XDR agent protection after 90 days of inactive</title>
      <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-protection-after-90-days-of-inactive/m-p/1258051#M9417</link>
      <description>&lt;P&gt;Hello Everyone.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I need your opinion to this topic. What will happen to the agent protection for the endpoint after 3 months of inactive.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Correct me if im wrong. Cortex XDR agent will delete permanently from management console and database after default deletion which is 90 days.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;if i enable all the module in day 1 for an endpoint, then after 90 days which is day 91, my agent in an endpoint can't connect to Cortex XDR platform anymore which leave it as "Zombie agent".&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;in this case, what happen to the all module, does the agent still have capabilities of enabled module before 90 days implemented within agent's local database or does the enabled module work via internet connection ? if so, what prevention the agent currently have within that state ?&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Hope everyone can help me with this question, Thanks !&lt;/P&gt;</description>
      <pubDate>Sat, 04 Jul 2026 13:49:49 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-protection-after-90-days-of-inactive/m-p/1258051#M9417</guid>
      <dc:creator>B.Sasmito</dc:creator>
      <dc:date>2026-07-04T13:49:49Z</dc:date>
    </item>
    <item>
      <title>Re: Cortex XDR agent protection after 90 days of inactive</title>
      <link>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-protection-after-90-days-of-inactive/m-p/1258053#M9419</link>
      <description>&lt;P&gt;Small correction on the numbers&amp;nbsp; ----&amp;gt; 90 days is the &lt;EM&gt;retention&lt;/EM&gt; window after an endpoint is manually deleted from the console, not the inactivity trigger. Pure inactivity works differently: standard agents auto-delete after &lt;STRONG&gt;180 days&lt;/STRONG&gt; of no check-in, VDI/TS agents after just 6 hours. So on day 91 your agent isn't gone, it's just quiet.&lt;/P&gt;
&lt;P&gt;While it's disconnected, prevention doesn't stop — exploit protection, restriction rules, child-process protection etc. all enforce locally on the endpoint regardless of connectivity. For malware verdicts specifically, the agent falls back to its local hash cache + Local Analysis (its own on-box ML/pattern engine) instead of querying WildFire. So it's not "defenseless," it's just working off last-known intel until it reconnects.&lt;/P&gt;</description>
      <pubDate>Sat, 04 Jul 2026 19:26:11 GMT</pubDate>
      <guid>https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-protection-after-90-days-of-inactive/m-p/1258053#M9419</guid>
      <dc:creator>H.Eldessouki</dc:creator>
      <dc:date>2026-07-04T19:26:11Z</dc:date>
    </item>
  </channel>
</rss>

