Currently XDR doesn't have a feature to run the malware scan on the media / USB devices immediately when inserted into the endpoint.
You may check with your support account team to see if there are any possibilities of getting it in future versions as part of product developments.
Hi @RahulPrajapati ,
Using device control you can manage devices connecting to endpoint. Refer link below for more details.
After you apply Device Control rules in your environment, use the Endpoints -> Device Control Violations page to monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XDR blocked them on the endpoint. All violation logs are displayed on the page. You can sort the results, and use the filters menu to narrow down the results. For each violation event Cortex XDR
Please mark this solution if it answered your queries on this post.
Just to add some tips into this, there is a way to create querys/alerts even on this kind of events.
For example check the following link:
I have used similar techniques to this in investigations but its rather on your side and more of a "windows internals" thing.
As we know that Cortex XDR is an execution based detection and prevention solution, it has the capability to detect malwares if they execute even from removable media on the endpoint. As a result on connection scan is something that is not a hard requirement for detection of malwares. Practice recommendation in these used cases can be that you use restriction profiles to restrict execution of executables and other files from the removable media and if the user intends to execute some files present on the media, it should be copied to a folder on the endpoint locally for execution. Assuming, that the user does not execute the file instantaneously and if it stays on the system, periodic scan should be able to determine the verdict for the same.
Additionally, the Cortex XDR agent does not perform USB scan on connection, however, it has the capability to scan removable media as part of the periodic malware scan if required. You can enable this in the malware profiles, under category Endpoint Scanning> Periodic Scan -> Enabled and under then you should have the option to Scan Removable Media Drives->Enabled.
Screenshot below for reference
Hi @EdwardDiaz ,
Mapped network drives are not scanned as part of the malware scan by the endpoints. Instead, if initiated on the endpoint which hosts the network drive, the network drive being considered a part of a persistent drive for a specific endpoint/server, will be scanned as a drive path.
Hope this helps!
Hi @RahulPrajapati ,
To add on @creddy 's response, you can choose to create XQL queries for looking into file write events on removable media using XQL queries which essentially would give the same result. If you have identity analytics module active. Uncommon USB connection activities are anyways automatically tracked and generate alerts for you.
Hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!