Cortex XDR Delete Malware

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Delete Malware

L0 Member



i see alert malware in incident report . how i can delete malware from Cortex XDR admin portal. 

Agent version 7.0.2


L1 Bithead

i have a similar question,

how does cortex deals with malware? does tech support have to take another antivirus to scan and clean the infected endpoint computer?

L2 Linker

hello @PKhemarith perhaps I am not understanding your question or task requirement, but is this what is being asked?


"Retrive Files from an Endpoint"


I found the above in the Cortex XDR Pro Administrators Guide

Hi there-  


Assuming you have quarantine malware enabled in your malware profile, no action is needed on your part.  If enabled, the agent will quarantine the file which means that it will encrypt the file and move it to a location that is inaccessible (left there in case it needs to be restored.)  The agent will delete the malware itself based on the quota settings specified in the agent profile.


Hope this helps.

David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

L2 Linker

Similar to above question is there a equivalent Palo Cortex tool as below from Microsoft ?


Also if we do not have Quarantine = Yes then does the file stay infected or is it cleaned and left there ?

Also unable to understand the link between the question and ' quota settings specified in the agent profile' ? How is it related ?

Overall I see Cortex talks of always protection ( blocking ) and Quarantine , so what about cleaning a infected file ?

L1 Bithead

my solution is to get another antivirus to remove the source file (virus).

L5 Sessionator

Hi @Balaraju, quarantined files will need to be unquarantined manually.

The process of "cleaning a file" is very subjective. The file could be malicious by nature, or can be affected by a malicious process, among others. An example of that would be a ransomware attack. While the ransomware file is malicious and needs to be removed from the host, files affected by the ransomware are encrypted on disk and needs a decryption key for "restoring". The process of "cleaning" ensures a complete disk-wipe, and additional investigative and forensic activities to understand the limit of attack, exposure and compromise while figuring out the remediation plan including restoring from backups and enforcing stricter security controls to prevent such activities. This requires human intervention and analysis.

Hi @SimonTan how about leveraging the existing capabilities of XDR to search and delete a file? Take a look at

If you don't have Host Insights, you can write your own custom Python script for search files by names or hashes and delete them. See it here:

  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!