- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-18-2023 10:22 AM
We have a security camera server that's been throwing out low memory resource messages and the company that provides the software claims that Cortex XDR endpoint client is causing memory leaks. There are no incidents being triggered by this server and the memory usage of Cortex is always under 1GB of memory. They have provided documentation that appears to be geared more toward traditional antivirus software to add folder and file exceptions from the software. I don't see in the XDR control console a place for me to make these exceptions unless there was an incident or to allow list a vendor or hash. Does this seem like they're grasping for something to be the issue or can anyone help guide me on how to add these exceptions. Below is the document they provided to help understand what they're asking of us to do.
10-18-2023 11:28 AM
Hi @JLawrence-Serra, thanks for reaching the Live Community.
You can create exceptions rules to avoid files or folder for being scanned by the XDR Agent modules.
You need to create a "Disable Prevention Rule", this is located at Settings → Exception Configuration → Disable Prevention Rules
This is the official doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Disab...
I recommend creating the rule and apply this only to the Profile that is assigned to this endpoints.
When you define the rule, note that you can use wildcards for the folder definitions. In your case, you will need to create more than one rule to cover all the required folders.
I think this can solve your inquiry.
10-18-2023 11:28 AM
Hi @JLawrence-Serra, thanks for reaching the Live Community.
You can create exceptions rules to avoid files or folder for being scanned by the XDR Agent modules.
You need to create a "Disable Prevention Rule", this is located at Settings → Exception Configuration → Disable Prevention Rules
This is the official doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Disab...
I recommend creating the rule and apply this only to the Profile that is assigned to this endpoints.
When you define the rule, note that you can use wildcards for the folder definitions. In your case, you will need to create more than one rule to cover all the required folders.
I think this can solve your inquiry.
10-18-2023 11:56 AM
Thank you very much for your help! That helped solve my problem! I appreciate the details you provided in the screen shot.
09-16-2024 07:50 AM
Hello,
We are implementing FSlogix profiles in our environment. Is the solution you provide here enough? If I need to do something else or different, let me know.
This is the exclusion that I need to add per Microsoft documentation:
%TEMP%\*\*.VHD
%TEMP%\*\*.VHDX
%Windir%\TEMP\*\*.VHD
%Windir%\TEMP\*\*.VHDX
\\server-name\share-name\*\*.VHD
\\server-name\share-name\*\*.VHD.lock
\\server-name\share-name\*\*.VHD.meta
\\server-name\share-name\*\*.VHD.metadata
\\server-name\share-name\*\*.VHDX
\\server-name\share-name\*\*.VHDX.lock
\\server-name\share-name\*\*.VHDX.meta
\\server-name\share-name\*\*.VHDX.metadata
Cloud Cache specific exclusions
%ProgramData%\FSLogix\Cache\*
(folder and files)
%ProgramData%\FSLogix\Proxy\*
(folder and files)
Prerequisites for FSLogix - FSLogix | Microsoft Learn
Thank you in advance for your guidance.
09-20-2024 07:07 AM - edited 09-20-2024 07:07 AM
Hi @J.Bravo779077, we don't recommend to add exceptions before installing the agent. Those recommendations are for legacy antivirus solutions, any modern EDR solution like XDR works monitoring behaviors of the running applications.
You can create a "report only" profile and apply it to this kind of servers and then monitor if the agent detects something from this application as malicious, and then create the exceptions based on the XDR agent detections.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!