06-03-2021 12:09 PM
We will be rolling out to production soon and we need to have full AV protection while Cortex XDR is in monitor mode for up to 2 weeks. The previous Cylance AV agent must be uninstalled prior to the Cortex agent being installed so running in parallel is not an option. Any thoughts on how other organizations have approached this or a recommend approach?
Thanks in advanced any suggestions,
Doug
06-30-2021 08:55 PM
Hello
Were currently doing the exact same thing, but through testing we have found while not officially compatible in the XDR docs XDR and Cylance can run side by side. We have found that in some server situations they don't work well together but Cylance has an undocumented (you can get it from cylance support) compatibility mode you can set in the windows registry that allows them to work side by side.
06-25-2021 08:48 AM
@DougHolmes wrote:We will be rolling out to production soon and we need to have full AV protection while Cortex XDR is in monitor mode for up to 2 weeks. The previous Cylance AV agent must be uninstalled prior to the Cortex agent being installed so running in parallel is not an option. Any thoughts on how other organizations have approached this or a recommend approach?
Thanks in advanced any suggestions,
Doug
Hi @DougHolmes ,
I understand that you are looking to uninstall your previous AV while the Cortex XDR Agent is in monitor mode. Could you elaborate on the reasoning behind uninstalling the previous AV? Also, could you provide more context around why the Cortex XDR agent cannot run in block mode to provide the required protection for that period? If any recommendation could be made here given the information provided, it would certainly be to install the Cortex XDR agent in block mode as there will be no other endpoint protection software available to stop malicious activities in their tracks. I hope that this helps.
06-25-2021 03:25 PM
Hi Doug,
Hopefully my reply isnt that too late.. as you know XDR have compatibility issue with Cylance so yes, uninstall cylance before install xdr agent. And hopefully, you have done some canary group with no Cylance and XDR in block mode. That way at least you will get somewhere around 60-70% of the executables known to xdr and the rest, you can deal when incident triggers. Also when you remove cylance, usually the defender takes over if the xdr profile is set to report mode but once you switch to blocking mode then xdr will be registered as primary AV in security center.
What I've seen from some customer, remove the cylance, install xdr agent but only specific modules are in blocking mode while the rest are in report mode. That way the SOC doesnt get overwhelm with all new alerts at the same time.. then slowly switching each module to block mode. What i would suggest is get a good understanding of XDR agent as incident source as those are the ones that will get blocked and how to address them so that way even if you deploy xdr agent all modules in block mode, you can easily manage and address those incidents on the right away.
06-30-2021 08:55 PM
Hello
Were currently doing the exact same thing, but through testing we have found while not officially compatible in the XDR docs XDR and Cylance can run side by side. We have found that in some server situations they don't work well together but Cylance has an undocumented (you can get it from cylance support) compatibility mode you can set in the windows registry that allows them to work side by side.
01-07-2022 10:51 AM
Hi Gareth.D
I have the same situation. Do you have the document about Cylance undocumented compatibility mode?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
