Cortex Scanning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex Scanning

L0 Member

Hi, I'm looking at doing a review on our Cortex policies and we currently have weekly scanning enabled. I know scanning for Cortex is not a traditional antivirus scan, but more for creating a benchmark for your endpoints.

After it does a scan, alerts get created from things that got raised from the scans. Some of our team members are concerned that if now IOCs or scanning criteria gets created, existing applications that have these criteria won't get scanned and picked up.

Does the baselines get crosschecked with these new criteria, or will they remain undetected until they are detected through actions?

1 accepted solution

Accepted Solutions

To catch bad new malware that is already installed better configure automatic periodic scans (like it is done for the normal antivirus software applications), maybe each week of each month (if the users complain atleast each month is a nice option  🙂 ) with auto quarantine option. Here is a nice discussion about this:

 

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/periodic-endpoint-scanning-report/td-p/5...

 

XDR uses also the wildfire cloud sandbox content service to catch malware, so this where the benifits come into play against normal antivirus, when you run scans. You may need to license this as to block even zero day malware:

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Archite...

 

 

Also limit what a not detected malware can do configure also exploits and restrictions profiles to protect processes from the non detected malware and restrict the files. This way you can catch and stop zero day attacks (another EDR benefit compared to normal antivirus software):

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-E...

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-R...

 

View solution in original post

3 REPLIES 3

L6 Presenter

Cortex XDR can detect bad malware files and then to auto quarantine them if you have enabled this as Cortex XDR is EDR, Antivirus system and much more. Just start full scans to check everything and enable  auto quarantine as shown below:

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Manage-...

 

--------

 

 

When the agent detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When the agent quarantines malware, it moves the file from the location on a local or removable drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine) where it isolates the file. This prevents the file from attempting to run again from the same path or causing any harm to your endpoints.

To evaluate whether an executable file is considered malicious, the agent calculates a verdict using information from the following sources in order of priority:

  • Hash exception policy

  • WildFire threat intelligence

  • Local analysis

Quarantining a file in Cortex XDR can be done in one of two ways:

  • Enable the agent to automatically quarantine malicious executables by configuring quarantine settings in the Malware security profile.

  • Right-click a specific file from the causality card and select Quarantine.

  1. View the quarantined files in your network.

L0 Member

Thank you for the quick response.

 

With the malware detection, is this only during execution? If the hash of a malware gets added, but this malware already exists on the machine in a dormant state, are we waiting for execution for Cortex to pick it up, or when the malware hash gets added, will Cortex detect it as being installed?

To catch bad new malware that is already installed better configure automatic periodic scans (like it is done for the normal antivirus software applications), maybe each week of each month (if the users complain atleast each month is a nice option  🙂 ) with auto quarantine option. Here is a nice discussion about this:

 

https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/periodic-endpoint-scanning-report/td-p/5...

 

XDR uses also the wildfire cloud sandbox content service to catch malware, so this where the benifits come into play against normal antivirus, when you run scans. You may need to license this as to block even zero day malware:

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Archite...

 

 

Also limit what a not detected malware can do configure also exploits and restrictions profiles to protect processes from the non detected malware and restrict the files. This way you can catch and stop zero day attacks (another EDR benefit compared to normal antivirus software):

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-E...

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-R...

 

  • 1 accepted solution
  • 2554 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!