Cortex XDR

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR

L1 Bithead

Hi people,

1) I have installed the cortex XDR on end user PC and when I tried to scan email attachment on the end user PC I am not able to see any option to scan email attachment. I am a system Admin and I want the end user to scan email attachment with cortex. At present I have to download the attachment and do scan with cortex. I don't want to download this email attachment and scan the attachment whole without download. Any suggestion how can I make this scan with cortex comes when I right click on email attachment please. 


2) How can I block and allow USB drive from Cortex management portal?


L1 Bithead

Hello prasad.


If you aim is to block USB drive, you can configure that by creating a agent setting policy in the policy management pane.


Go to endpoint-->policy management --> choose your OS-->Agent settings--> Agent security.


Hope this helps.



Hi @lprasad ,


I would disagree with @NagaVenkatesh answer. Agent settings profile is generally defining XDR agent behavior (GUI interface, agent auto update, disk quota etc). Agent Security specifically define agent tampering protection - protect files, folders and processes used by the XDR agent from unauthorized modification or even opening/reading.


With Agent settings profile -> User interface you can define if end user will have the option for "scan with cortex xdr" when right click on a file (basically allowing on-demand file scan by end user).


I don't believe Cortex XDR is capable of scanning file attachment, without saving the file first, or opening it. I would say your requirement is little hard to achieve. Someone may correct me but my understanding is a follow:

- File is attached to email by encoding the file and adding it to the email body, which is simple text

- When Outlook sync with exchange and receive the email (with the attachment), this email is stored in the .ost file (Offline Outlook data file)

- Until this point the email attachment is not a file - from endpoint stand point of view.

- If user tried to open the attachment, Outlook will first decode the attachment and save it in temporal location and run it from there.


I don't have lot of experience with endpoint protections, but is hard for me to imagine that there is EDR/XDR which will allow you to scan attachment without saving it separately first.

Email security protection is more suitable for such task. Such product will inspect the email, before being received by the exchange.

You may have some success with firewall between endpoint and exchange, if you decrypt the traffic and email contain known virus/malware.


If you want to use Cortex XDR your only option (in my humble opinion) is:
- User receive the email

- User saves attachment as file

- User right click on a file and select "scan with cortex xdr" (I am not sure what exact wording was)

For this to work, your Malware profile ->  Endpoint Scan -> "End-user initiated local scan"  must be enabled (which is by default)



Regarding your second question regarding blocking USB drives. This is achievable by using Extensions profiles - Device Control • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Networks documentation ...

With extension profiles, you can block any USB and add some exceptions or, allow any USB and add exceptions.


Note this way you will block any use of USB drives being plugin to the endpoint.

Another way would be to use Restriction profile - Add a New Restrictions Security Profile • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Ne...

Using Restriction profiles, you can allow USB drive to be plugin, but block/prevent any execution from the attached plugin.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!