Triggering XDR Defender, how?

goenuel.trautmann.sp — Sat, 07 Feb 2026 18:36:29 GMT

Hi Everyone!

Does anyone have any idea how I can trigger XDR detection capabilities for 100% sure without Windows Defender coming first?

Thanks.

Günnie

Re: Triggering XDR Defender, how?

susekar — Tue, 10 Feb 2026 14:00:37 GMT

Hello @goenuel.trautmann.sp ,

Greetings for the day.

To trigger Cortex XDR detection capabilities without Windows Defender interfering—which can cause a "race condition" where Defender quarantines the file first—you must ensure that Windows Defender is running in Passive Mode.

1. Verify Current Microsoft Defender Mode

Before testing, confirm the current running mode of Windows Defender by executing the following command in an elevated PowerShell session:

Get-MpComputerStatus | select AMRunningMode

Active Mode: Defender attempts to block or quarantine threats before Cortex XDR can respond.
Passive Mode: Defender provides telemetry but does not provide real-time protection, allowing Cortex XDR to handle detection and prevention.

2. Configure Passive Mode

The method depends on the operating system:

Windows Workstations (10/11):
Cortex XDR typically registers as the primary antivirus in the Windows Security Center (WSC). This integration causes WSC to automatically switch Microsoft Defender to passive or disabled mode. Ensure the Windows Security Center Integration setting is enabled in the Cortex XDR Agent Settings Profile.

Windows Servers:
Windows Server OS does not automatically set Defender to passive mode when a third-party AV is registered. You must manually force Passive Mode by modifying the registry and restarting the server:

Registry Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\AM\
Value Name: ForceDefenderPassiveMode
Type: REG_DWORD
Data: 1

3. Recommended Detection Tests

Once Passive Mode is confirmed, you can trigger XDR alerts using the following methods:

WildFire Test File: Download and attempt to execute a WildFire test PE file. This triggers malware detection alerts without using a real virus.
(https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analysis/verify-wildfire-submissions/test-a-sample-malware-file)
Malware Test PE File: Generic malware test PE files generate alerts in XDR. EICAR tests may fail if Defender is not fully suppressed.
Anti-Ransomware Test: Simulate ransomware behavior by copying powershell.exe with a different name and attempting to modify files in protected "honeypot" directories.

4. Troubleshooting Missing Alerts

If a test does not generate an alert, check the following:

Ensure XDR Pro Capabilities are enabled in the agent settings to collect file, process, and network telemetry.
Verify the Malware Profile has On-write File Examination and Quarantine malicious executables enabled.
Check for Informational (Severity 0) alerts, as these may be hidden from the main Alert Table by default.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: Triggering XDR Defender, how?

goenuel.trautmann.sp — Wed, 11 Feb 2026 13:53:56 GMT

Thank you for your helpful answer. I have no defender admin rights and can't configure the passive mode, but point 3 are really good ideas.

topic Re: Triggering XDR Defender, how? in Cortex XSIAM Discussions

Triggering XDR Defender, how?

Re: Triggering XDR Defender, how?

1. Verify Current Microsoft Defender Mode

2. Configure Passive Mode

3. Recommended Detection Tests

4. Troubleshooting Missing Alerts

Re: Triggering XDR Defender, how?