Cortex XDR Scheduled scans

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR Scheduled scans

L1 Bithead

1) My organization has weekly scans scheduled for Tuesday mornings at 10:00am: How do I view or change the schedule for these scans? And is there a best practice for an ideal time to schedule scans for the endpoints? We currently only get about 50% of scans to be successful on a weekly basis.

2) When I initiate a scan on an endpoint and it fails, how do I troubleshoot what is causing it to fail (scan status = error). 



16 REPLIES 16

L4 Transporter

Hi, 

you can change your scan schedules when you create your malware profiles. 

Please check this: 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/endpoint-...

 

So if you have already created your malware profile, go to the config of that profile and almost at the end of the profile you will see the Endpoint Scanning config area. There you can play with the Periodic Scan fields to change it. Please check the attached pic.

Regarding the best time to scan your endpoints, it depends on your organization schedules, the best is when the users have less work load on their endpoints. This is something you should check by yourself depending on your specific scenarios. F.e. on a previous assignment we got all desktops awaken at 8pm (by windows AD policy) and we scanned them at that time. But again you should realize when is better for your users, or maybe even create different malware profiles for different departments or office locations and scan them at a different time. 

Trouble shooting failed scans: try to figure out if they failed maybe because they had their endpoints switched off, or do they interrupted the scan maybe switching off the endpoint  ? if you identify such a case could be good to ask the end user the reason, was it all of a sudden too slow and they rebooted ? these are just some ideas, anyways be creative and try to realize about the reasons why they might failed, maybe they were human reasons. 

And of course play with the schedules for different departments or locations to suit the scans to your best potential success times.

 

NOTE: Please to not take our Cortex xdr scans as a traditional antivirus scan this is not the same concept. For us a scan is more to create a model/baseline of what is normal in your endpoint and have a control on it. When you download a new file, it will be check by us when being written on disk, at this time this file will be scanned. So basically, if you run one scan, everything that has been already scanned and is trustable do not need to be re-scanned again and again. 
Have a good XDR scan time !!

Luis 

 

EndpointScanSchedule.PNG

Luis, thank you for the reply, very helpful!

When a scheduled scan is aborted, will it stay in that status until the next scheduled scan? In other words, if it is aborted this week, will it reinitiate a scan on that endpoint next week, or do we need to do it manually on the backend for endpoints that get aborted?

Also, for endpoints that are disconnected at the time of the scheduled scan, will it initiate the scan as soon they are connected again?

Hey Eluis,

 

I'd have to disagree with the scan once and you're good comment. We've had Cortex XDR for a year and scan weekly, and it is always a challenge. Found 11,059 out of 76,738 results. This was our last 30 day results. I also haven't noticed XDR scanning at time of write to disk. I can download anything I want and XDR won't pop off until it is executed. When I dedupe this list with the month before it's reduced from 11k to 56 😞 More than happy to discuss with you on how you managed to achieve your results. Most of these are marked Benign so I'm not sure why it wants to alert on them again. 

 

eumbach_0-1636769827487.png

 

Hi Pdysart,

if the scan is started at the cortex management console the user wont be able to stop the scan. He might do it just if he switches off his computer. Once the computer is switched on again the scan should resume and complete. If the user starts the scan locally at his endpoint agent, then he might be able to interrupt it manually, in this case the scan has to be started from scratch.

If the user reboots or system crashes while on-demand scan, the scan will continue once the endpoint is booted again.

Notes:

  • You can see the scan progress at the action center. 
  • You can include external devices connected to the endpoint for the scans at the scans config (after you select your scanning schedules, you will see down there the option) 

 

Hope this helps,

Luis  

Hi Luis,
Thanks again for the reply. I am a new team member and I am investigating why we have such a large percentage of endpoints that do not have successful scans. We consistently have about 25% of endpoints aborting the scan. Even when I take a smaller group and start a scan from the endpoint administration, the majority of endpoints that failed on their last scan end up failing again. 

pdysart_0-1637189586011.png


Any insight on how I should approach this problem will be helpful.
Thank you,
Phil

in your case if the reason is that the user is not rebooting or OS crash or power-off,  I would recommend to open a support ticket

KR, 

Luis

I did not get your point on your sentence " Found 11,059 out of 76,738 results" Please explain what do you mean ? what did you find out of 76k? malware ? endpoints ?
Please check my last answer a few mins ago to Pdysart in case it helps you.
About the alerts with benign verdicts: if somehow the endpoint is not connected to cortex management console/WF, or the verdicts from WF last too much, local analysis kicks in and this might have the reason of those alerts, later the verdict might be resolved once the alert is already created (or maybe buffered to be sent when comms are recovered).
Please investigate and realize if you have an issue with WF verdicts in terms of time to get it. If you have a real isssue there open a TAC support ticket. If your endpoints are isolated when the alerts are generated by local analysis, then you should solve this matter.
Note: if the file is unknown to WF, then the agent uses local analysis to figure out if the file is benign of malware.
Ways to get rid of alerts for benign processes:
  -Add hash to allow list
  -Add the signer to trusted signers

About the on-write scan you will have to wait until you update the agent to 7.6 

 

Hope I helped on your issues

 

L3 Networker

About the on-write scan you will have to wait until you update the agent to 7.6 

We are on 3.1 and 7.6. Did this feature get pushed on this release? 

L3 Networker

Dear Eumbach,

 

on-write scan feature is not on prod yet. Yes, its part of 7.6 but still just enabled for EA customers. 

 

L0 Member

Hi All,

I have already created and config malware profile for schedule scan (weekly), but i can't find history the scan is running or not. For that case, is it possible to check the history of schedule scan? And if possible, what should i do? Thanks

Hi @teddy.andriawan ,

Please refer to this great post which covers the way to track scan status in Cortex XDR.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

Thanks Mavraham very helpful,

 

I have one question again, When a scheduled scan is aborted, will it stay in that status until the next scheduled scan? In other words, if it is aborted this week, will it reinitiate a scan on that endpoint next week, or do we need to do it manually from the console?

And what problem caused the error scan?

Hi, how do you dedup this filter, or did you move the results to another application? And did you check the verdict individually or can you do that in bulk?

I wrote a python script which uses the API to pull these incidents and upload the hash to wildfire since the Cortex XDR agent db is only updated once a month from the Wildfire database. This gives me up to date information and it loops over the artifacts for the incident. If are benign it will close the case. Send quarantine to those that are not. Escalate it to Tier 1 if anything fails by case assignment. 

  • 10579 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!