Cortex XDR to take the cleanest snapshot of windows for rollback.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR to take the cleanest snapshot of windows for rollback.

L0 Member

Hi LIVEcommunity,

 

Is there a way for Cortex XDR to take the cleanest snapshot of windows so there is a point where we can rollback the endpoint after an attack?

Windows has a feature called Volume Shadow Copy Service (VSS) but can Cortex XDR use this after a ransomware attack? What if the VSS is corrupted, how can Cortex XDR protect the VSS and rollback to the cleanest state of the endpoint?

 

We are trying to compete with other product that has a feature like this, but I cannot find documentation stating how can Cortex XDR accomplish this task.

 

I hope experts in this community can guide us. Thank you.

 

- Jim

Cortex XDR 

1 accepted solution

Accepted Solutions

L3 Networker

Dear @Jim_Gabales , 

 

Thank you for reaching out to the Live Community. We do have a feature in Cortex XDR which assist in backup management where we can enable or disable the automatic backup on Windows using VSS. 

 

You can find these settings in policy management> Agent settings> backup management. However, as far as I know we cannot take a backup of the endpoints on the Cortex XDR so that we can restore using it. We can only manage the enabling or disabling of the backup from the Cortex XDR. Thank you. 

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

View solution in original post

3 REPLIES 3

L3 Networker

Dear @Jim_Gabales , 

 

Thank you for reaching out to the Live Community. We do have a feature in Cortex XDR which assist in backup management where we can enable or disable the automatic backup on Windows using VSS. 

 

You can find these settings in policy management> Agent settings> backup management. However, as far as I know we cannot take a backup of the endpoints on the Cortex XDR so that we can restore using it. We can only manage the enabling or disabling of the backup from the Cortex XDR. Thank you. 

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Hello @abdrahman , I was looking at this new feature "Backup Management" and you explained that it works with the VSS.
However, I listed the VSS writers and I do not see a Writer "Cortex XDR".

Does it mean that the shadow copy driven by the agent has not been write ?

I checked the Agent Settings profile and I can see that the option is Enabled.

 

How can I check on the endpoint that the backup has been made by the agent ?

 

Regards,

 

Benjamin

I see, but can we automate the part of restoring it using the enabled shadowcopy? we have a remediation suggestion feature "restoring files", right? Will it trigger the shadow copy to be restored? 

  • 1 accepted solution
  • 752 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!