How most decisions are made by Cortex XDR ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How most decisions are made by Cortex XDR ?

L2 Linker

Greetings ,


I am using Cortex XDR Prevent and keen to know how most decisions are made by Cortex XDR about File/process/macro being malicious or not ?  So assume there are no Hash exceptions and need to know if below is true :

- First Wildfire cache is checked and if verdict for sample is  available ,its used  and it becomes final 

-Second if sample is not in Wildfire cache then  static analysis is done and its decision is used and parallelly sample is sent for WildFire analysis and once verdict is received it takes priority over static analysis  and if WildFire verdict is 'Unknown' then Static Analysis verdict is final . Also till the time verdict is received from Wildfire the local analysis verdict is valid .


Can somebody confirm if above is true understanding or if Iam wrong anywhere ?

Secondly will appreciate if any statistical information is shared about above like in most cases whose verdict is used in most cases ? between Static Analysis and Wildfire .

Thirdly need to know how often are verdicts different and are they same in most cases ? 

Thanks in advance . 


L5 Sessionator

Hi @Balaraju this depends on the configuration of your Malware profiles.

Assuming your profile is configured with Wildfire (WF) analysis enabled and configured to blocl/report for known samples or run Local Analysis for unknown verdicts, your explanation is correct for both points. However, this does not include the reaction of post-execution modules like Behavioral Threat Protection, ransomware, NPI etc. Even if WF verdicts are benign, post-execution modules will continue to operate independently and can mitigate threats in-flight. 


I don't have any statistical data at hand - but again, it depends on the tenant configuration. Some organizations might have WF disabled, and thus, solely depend on Local Analysis verdicts. Verdicts can vary between industry verticals, types of software used, internet access control (air-gapped systems vs direct internet exposure), administrative rights of endpoint user, firewall configurations and the list goes on. So, it depends!


Please refer to this detailed documentation on Cortex XDR file analysis and protection flows:

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!