- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-30-2026 12:02 AM - edited 06-30-2026 12:03 AM
When configuring Reverse Shell Protection and Malicious Child Process Protection there's an option to configure the protection mode. Default is "normal" but we could choose "aggressive" too.
There's no documentation.
Does anyone know the difference of protection modes for these Linux modules?
Is it the same as in the ransomware protection module for Windows?
06-30-2026 02:44 PM
Hello @micomi ,
Greetings for the day.
The configuration of "Normal" and "Aggressive" protection modes for Reverse Shell Protection and Malicious Child Process Protection (C01) on Linux follows the general Cortex XDR logic of balancing detection sensitivity against system stability, though the specific technical implementation differs significantly from the Windows Anti-Ransomware module.
While the labels "Normal" and "Aggressive" are identical to those found in the Windows Ransomware Protection module, the underlying mechanism is not the same.
In the absence of specific Linux-module documentation, the operational differences are inferred from the general behavior of these settings within the platform:
The specific rule thresholds or sensitivity adjustments that differentiate Normal from Aggressive mode for these Linux-specific modules are not publicly documented.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
06-30-2026 02:44 PM
Hello @micomi ,
Greetings for the day.
The configuration of "Normal" and "Aggressive" protection modes for Reverse Shell Protection and Malicious Child Process Protection (C01) on Linux follows the general Cortex XDR logic of balancing detection sensitivity against system stability, though the specific technical implementation differs significantly from the Windows Anti-Ransomware module.
While the labels "Normal" and "Aggressive" are identical to those found in the Windows Ransomware Protection module, the underlying mechanism is not the same.
In the absence of specific Linux-module documentation, the operational differences are inferred from the general behavior of these settings within the platform:
The specific rule thresholds or sensitivity adjustments that differentiate Normal from Aggressive mode for these Linux-specific modules are not publicly documented.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

