Cortex XDR agent protection after 90 days of inactive

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR agent protection after 90 days of inactive

L0 Member

Hello Everyone. 

 

I need your opinion to this topic. What will happen to the agent protection for the endpoint after 3 months of inactive. 

Correct me if im wrong. Cortex XDR agent will delete permanently from management console and database after default deletion which is 90 days. 

 

if i enable all the module in day 1 for an endpoint, then after 90 days which is day 91, my agent in an endpoint can't connect to Cortex XDR platform anymore which leave it as "Zombie agent". 

 

in this case, what happen to the all module, does the agent still have capabilities of enabled module before 90 days implemented within agent's local database or does the enabled module work via internet connection ? if so, what prevention the agent currently have within that state ? 

 

Hope everyone can help me with this question, Thanks !

1 REPLY 1

L1 Bithead

Small correction on the numbers  ----> 90 days is the retention window after an endpoint is manually deleted from the console, not the inactivity trigger. Pure inactivity works differently: standard agents auto-delete after 180 days of no check-in, VDI/TS agents after just 6 hours. So on day 91 your agent isn't gone, it's just quiet.

While it's disconnected, prevention doesn't stop — exploit protection, restriction rules, child-process protection etc. all enforce locally on the endpoint regardless of connectivity. For malware verdicts specifically, the agent falls back to its local hash cache + Local Analysis (its own on-box ML/pattern engine) instead of querying WildFire. So it's not "defenseless," it's just working off last-known intel until it reconnects.

  • 31 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!