Cortex XDR Agent rollout strategy

cancel
Showing results for 
Search instead for 
Did you mean: 

Cortex XDR Agent rollout strategy

L0 Member

We will be rolling out to production soon and we need to have full AV protection while Cortex XDR is in monitor mode for up to 2 weeks. The previous Cylance AV agent must be uninstalled prior to the Cortex agent being installed so running in parallel is not an option. Any thoughts on how other organizations have approached this or a recommend approach?

 

Thanks in advanced any suggestions,

 

Doug

1 ACCEPTED SOLUTION

Accepted Solutions

Hello

 

Were currently doing the exact same thing, but through testing we have found while not officially compatible in the XDR docs XDR and Cylance can run side by side. We have found that in some server situations they don't work well together but Cylance has an undocumented (you can get it from cylance support) compatibility mode you can set in the windows registry that allows them to work side by side.

 

 

 

 

View solution in original post

3 REPLIES 3

L4 Transporter

@DougHolmes wrote:

We will be rolling out to production soon and we need to have full AV protection while Cortex XDR is in monitor mode for up to 2 weeks. The previous Cylance AV agent must be uninstalled prior to the Cortex agent being installed so running in parallel is not an option. Any thoughts on how other organizations have approached this or a recommend approach?

 

Thanks in advanced any suggestions,

 

Doug


Hi @DougHolmes ,

 

I understand that you are looking to uninstall your previous AV while the Cortex XDR Agent is in monitor mode. Could you elaborate on the reasoning behind uninstalling the previous AV? Also, could you provide more context around why the Cortex XDR agent cannot run in block mode to provide the required protection for that period? If any recommendation could be made here given the information provided, it would certainly be to install the Cortex XDR agent in block mode as there will be no other endpoint protection software available to stop malicious activities in their tracks. I hope that this helps.

--gjenkins

L3 Networker

Hi Doug,

 

Hopefully my reply isnt that too late.. as you know XDR have compatibility issue with Cylance so yes, uninstall cylance before install xdr agent. And hopefully, you have done some canary group with no Cylance and XDR in block mode. That way at least you will get somewhere around 60-70% of the executables known to xdr and the rest, you can deal when incident triggers. Also when you remove cylance, usually the defender takes over if the xdr profile is set to report mode but once you switch to blocking mode then xdr will be registered as primary AV in security center. 

What I've seen from some customer, remove the cylance, install xdr agent but only specific modules are in blocking mode while the rest are in report mode. That way the SOC doesnt get overwhelm with all new alerts at the same time.. then slowly switching each module to block mode. What i would suggest is get a good understanding of XDR agent as incident source as those are the ones that will get blocked and how to address them so that way even if you deploy xdr agent all modules in block mode, you can easily manage and address those incidents on the right away.

jcandelaria_0-1624659912771.png

 

Hello

 

Were currently doing the exact same thing, but through testing we have found while not officially compatible in the XDR docs XDR and Cylance can run side by side. We have found that in some server situations they don't work well together but Cylance has an undocumented (you can get it from cylance support) compatibility mode you can set in the windows registry that allows them to work side by side.

 

 

 

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!