Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does Cortex XDR run the Malware scan if the USB device is inserted into the endpoint?

L2 Linker

Hi everyone,


Does Cortex XDR run the malware scan on the USB device immediately when it is inserted into the endpoint?




L3 Networker

Hi @RahulPrajapati,

Currently XDR doesn't have a feature to run the malware scan on the media / USB devices immediately when inserted into the endpoint.
You may check with your support account team to see if there are any possibilities of getting it in future versions as part of product developments.
Thank you!

Hi @creddy ,


Thanks for the response!


Is there any way by which we can know from the XDR console; when the user is inserting the USB devices on their endpoints?



L3 Networker

Hi @RahulPrajapati ,
Using device control you can manage devices connecting to endpoint. Refer link below for more details.

After you apply Device Control rules in your environment, use the Endpoints -> Device Control Violations page to monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XDR blocked them on the endpoint. All violation logs are displayed on the page. You can sort the results, and use the filters menu to narrow down the results. For each violation event Cortex XDR logs the event details, the platform, and the device details that are available.

Please mark this solution if it answered your queries on this post.
Thank you!



Just to add some tips into this, there is a way to create querys/alerts even on this kind of events. 

For example check the following link:

I have used similar techniques to this in investigations but its rather on your side and more of a "windows internals" thing. 



Hi @maksymilianjan ,


Thanks! Can you please share the query to create this alert?

L5 Sessionator

Hi @RahulPrajapati , @creddy and @maksymilianjan ,


As we know that Cortex XDR is an execution based detection and prevention solution, it has the capability to detect malwares if they execute even from removable media on the endpoint. As a result on connection scan is something that is not a hard requirement for detection of malwares. Practice recommendation in these used cases can be that you use restriction profiles to restrict execution of executables and other files from the removable media and if the user intends to execute some files present on the media, it should be copied to a folder on the endpoint locally for execution. Assuming, that the user does not execute the file instantaneously and if it stays on the system, periodic scan should be able to determine the verdict for the same.


Additionally, the Cortex XDR agent does not perform USB scan on connection, however, it has the capability to scan removable media as part of the periodic malware scan if required. You can enable this in the malware profiles, under category Endpoint ScanningPeriodic Scan -> Enabled and under then you should have the option to Scan Removable Media Drives->Enabled.


Screenshot below for reference


Do you happen to know if the "Scan Removable Drives" would include mapped network drives? We have hundreds of endpoints, and the last thing we need is all of them scanning the same shared network drive. 

Hi @EdwardDiaz ,


Mapped network drives are not scanned as part of the malware scan by the endpoints. Instead, if initiated on the endpoint which hosts the network drive, the network drive being considered a part of a persistent drive for a specific endpoint/server, will be scanned as a drive path.


Hope this helps!

Hi @RahulPrajapati , 


To add on @creddy 's response, you can choose to create XQL queries for looking into file write events on removable media using XQL queries which essentially would give the same result. If you have identity analytics module active. Uncommon USB connection activities are anyways automatically tracked and generate alerts for you.


Hope this helps

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!