Ask your questions from October 14 through October 26 as the Education Services Team experts will be available in a Q&A session for an opportunity to learn, join in, ask questions, and meet our experts! The Ask Me Anything (AMA) Event is focused on Education Services Training and Credentialing Opportunities for Cortex.
Ask questions from Thursday, October 14 to Tuesday, October 26, 2021.
Come back on October 27 from 8 a.m. to 10 a.m. PT to join the event as our experts answer your questions!
To participate in this event, please use the Reply button below to ask your questions.
Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!
Want to learn more details about the event? Check out this article.
@OmarDweik wrote: The Other EDR Vendor they have behavior and legacy With Sandbox verdict so it is more protection.
Sandboxing is different from Cortex XDR's in-line capabilities. Sandboxing, while important, can be identified by advanced malware that send WMI queries, perform other environment checks, or check which processes are running to see if they are operating within a sandbox.
On the other hand, Cortex XDR intercepts processes and prevents exploits by implementing roadblocks at each stage of the process, thus preventing behavioral threats by observing patterns throughout the entire process cycle. Malware can't evade this check like it can evade sandboxing (by remaining dormant), making Cortex XDR's protection more complete than traditional antivirus and sandboxing techniques. Case in point, the SolarStorm compromise performed a sandboxing check and went dormant for two weeks following the initial access and execution phase. This process successfully by-passed sandboxing attempts in traditional EDR platforms.
Sandboxing also adds unnecessary performance impact and user operation disruption when compared to the in-line protection provided by Cortex XDR. Competitors that have bet on sandboxing technology have had that problem since the beginning when compared to Cortex XDR.
Finally, XDR leverages sandbox technology by way of WildFire. While not native in XDR agents, this once more improves performance impact while providing better protection. This usage of WildFire sandboxing allows XDR to both prevent the activity locally while detonating in a sandboxing in the cloud to identify what the malware would have done on the endpoint, effectively giving Cortex XDR the best of both worlds.
- Can i delay Cortex 3.0 Services During Startup?
- there is Early Anti Malware Lunching features?
- can i control bandwidth With VM Broker?
Q: Can i delay Cortex 3.0 Services During Startup?
A: Yes. There are multiple ways to do this, depending on the platform and the need. VDI machines have a dedicated setting for delayed startup, this is part of the new VDI flow introduced in 7.2 (Windows only), it works automatically to ensure the best performance but can also be tuned with the help of Support teams should there be issues. Services startup can be controlled also for regular XDR Agents for Windows (cloud or not), by leveraging the OS native services control capabilities, but keep in mind that the drivers start earlier and are in limbo until cyserver is started, therefore unexpected behaviour might occur especially if there are security events at boot while the service is not running yet. It is not advisable to play with this. Other OSes like macOS and linux have similar native capabilities.
Q: there is Early Anti Malware Lunching features?
A: Yes, there is, we use a driver called ‘telam’ to register cyserver as a Windows Protected Process on modern versions of Windows.
Q: can i control bandwidth With VM Broker?
A: What bandwidth are you referring to? Bandwidth consumed due to installer downloads, CU downloads, Agent heartbeats, Broker upgrades, etc. Depending on which one you mean XDR may or may not have bandwidth control capabilities. However, all bandwidth control capabilities are handled by XDR, not the Broker VMs.
Q: My response:
Still not clear, as Palo alto they said we don't have update like other vendor (legacy AV) and based to your definition we can consider Content Update same other Antivirus Definition .
A: Our content, by and large, are rules and IoCs, not static signatures. While there is some overlap between a static signature and an IoC, the important difference is that we provide regular rules updates based upon the work of Unit 42 to fight the most prevalent threats in a timely manner. BTP rules are about behavior, not static signatures. Hash updates are not signatures per-se, although yes, those are static IOCs, they are not the same as traditional AV signatures, they are a means to quickly (<<1sec) recognize known Benign/Malicious software before it's executed (a signature check is a different operation and would take longer). Agent policy updates are configuration keys, nothing to do with signatures.
Q: By the way at what level Content Update Applicable to Cortex XDR Layers Prevention,Rule,Analysis & Response or data
A: It’s all of them.
How is Cortex better/different than other XDR products on the market? Why should a company switch from their current product to Cortex?
How do education services trainings differ from live community trainings?
We are not clear what resources you refer to exactly. In general, material found on Live comes in the form of blog posts, articles, white papers, "additional resources" of this kind. Whereas Education Services training offerings (e.g., EDU-260, EDU-261, ...) are full-blown courses, each with a different curriculum and set of objectives, they are delivered either in live classes with an instructor or through our online learning platforms. I hope it helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!