Hi,
you can change your scan schedules when you create your malware profiles.
Please check this:
So if you have already created your malware profile, go to the config of that profile and almost at the end of the profile you will see the Endpoint Scanning config area. There you can play with the Periodic Scan fields to change it. Please check the attached pic.
Regarding the best time to scan your endpoints, it depends on your organization schedules, the best is when the users have less work load on their endpoints. This is something you should check by yourself depending on your specific scenarios. F.e. on a previous assignment we got all desktops awaken at 8pm (by windows AD policy) and we scanned them at that time. But again you should realize when is better for your users, or maybe even create different malware profiles for different departments or office locations and scan them at a different time.
Trouble shooting failed scans: try to figure out if they failed maybe because they had their endpoints switched off, or do they interrupted the scan maybe switching off the endpoint ? if you identify such a case could be good to ask the end user the reason, was it all of a sudden too slow and they rebooted ? these are just some ideas, anyways be creative and try to realize about the reasons why they might failed, maybe they were human reasons.
And of course play with the schedules for different departments or locations to suit the scans to your best potential success times.
NOTE: Please to not take our Cortex xdr scans as a traditional antivirus scan this is not the same concept. For us a scan is more to create a model/baseline of what is normal in your endpoint and have a control on it. When you download a new file, it will be check by us when being written on disk, at this time this file will be scanned. So basically, if you run one scan, everything that has been already scanned and is trustable do not need to be re-scanned again and again.
Have a good XDR scan time !!
Luis
Hey Eluis,
I'd have to disagree with the scan once and you're good comment. We've had Cortex XDR for a year and scan weekly, and it is always a challenge. Found 11,059 out of 76,738 results. This was our last 30 day results. I also haven't noticed XDR scanning at time of write to disk. I can download anything I want and XDR won't pop off until it is executed. When I dedupe this list with the month before it's reduced from 11k to 56 😞 More than happy to discuss with you on how you managed to achieve your results. Most of these are marked Benign so I'm not sure why it wants to alert on them again.
Hi Luis,
Thanks again for the reply. I am a new team member and I am investigating why we have such a large percentage of endpoints that do not have successful scans. We consistently have about 25% of endpoints aborting the scan. Even when I take a smaller group and start a scan from the endpoint administration, the majority of endpoints that failed on their last scan end up failing again.
Any insight on how I should approach this problem will be helpful.
Thank you,
Phil
