02-10-2026 06:00 AM
Hello @goenuel.trautmann.sp ,
Greetings for the day.
To trigger Cortex XDR detection capabilities without Windows Defender interfering—which can cause a "race condition" where Defender quarantines the file first—you must ensure that Windows Defender is running in Passive Mode.
Before testing, confirm the current running mode of Windows Defender by executing the following command in an elevated PowerShell session:
Get-MpComputerStatus | select AMRunningMode
Active Mode: Defender attempts to block or quarantine threats before Cortex XDR can respond.
Passive Mode: Defender provides telemetry but does not provide real-time protection, allowing Cortex XDR to handle detection and prevention.
The method depends on the operating system:
Windows Workstations (10/11):
Cortex XDR typically registers as the primary antivirus in the Windows Security Center (WSC). This integration causes WSC to automatically switch Microsoft Defender to passive or disabled mode. Ensure the Windows Security Center Integration setting is enabled in the Cortex XDR Agent Settings Profile.
Windows Servers:
Windows Server OS does not automatically set Defender to passive mode when a third-party AV is registered. You must manually force Passive Mode by modifying the registry and restarting the server:
Registry Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\AM\
Value Name: ForceDefenderPassiveMode
Type: REG_DWORD
Data: 1
Once Passive Mode is confirmed, you can trigger XDR alerts using the following methods:
WildFire Test File: Download and attempt to execute a WildFire test PE file. This triggers malware detection alerts without using a real virus.
(https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analy...)
Malware Test PE File: Generic malware test PE files generate alerts in XDR. EICAR tests may fail if Defender is not fully suppressed.
Anti-Ransomware Test: Simulate ransomware behavior by copying powershell.exe with a different name and attempting to modify files in protected "honeypot" directories.
If a test does not generate an alert, check the following:
Ensure XDR Pro Capabilities are enabled in the agent settings to collect file, process, and network telemetry.
Verify the Malware Profile has On-write File Examination and Quarantine malicious executables enabled.
Check for Informational (Severity 0) alerts, as these may be hidden from the main Alert Table by default.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-10-2026 06:00 AM
Hello @goenuel.trautmann.sp ,
Greetings for the day.
To trigger Cortex XDR detection capabilities without Windows Defender interfering—which can cause a "race condition" where Defender quarantines the file first—you must ensure that Windows Defender is running in Passive Mode.
Before testing, confirm the current running mode of Windows Defender by executing the following command in an elevated PowerShell session:
Get-MpComputerStatus | select AMRunningMode
Active Mode: Defender attempts to block or quarantine threats before Cortex XDR can respond.
Passive Mode: Defender provides telemetry but does not provide real-time protection, allowing Cortex XDR to handle detection and prevention.
The method depends on the operating system:
Windows Workstations (10/11):
Cortex XDR typically registers as the primary antivirus in the Windows Security Center (WSC). This integration causes WSC to automatically switch Microsoft Defender to passive or disabled mode. Ensure the Windows Security Center Integration setting is enabled in the Cortex XDR Agent Settings Profile.
Windows Servers:
Windows Server OS does not automatically set Defender to passive mode when a third-party AV is registered. You must manually force Passive Mode by modifying the registry and restarting the server:
Registry Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\AM\
Value Name: ForceDefenderPassiveMode
Type: REG_DWORD
Data: 1
Once Passive Mode is confirmed, you can trigger XDR alerts using the following methods:
WildFire Test File: Download and attempt to execute a WildFire test PE file. This triggers malware detection alerts without using a real virus.
(https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analy...)
Malware Test PE File: Generic malware test PE files generate alerts in XDR. EICAR tests may fail if Defender is not fully suppressed.
Anti-Ransomware Test: Simulate ransomware behavior by copying powershell.exe with a different name and attempting to modify files in protected "honeypot" directories.
If a test does not generate an alert, check the following:
Ensure XDR Pro Capabilities are enabled in the agent settings to collect file, process, and network telemetry.
Verify the Malware Profile has On-write File Examination and Quarantine malicious executables enabled.
Check for Informational (Severity 0) alerts, as these may be hidden from the main Alert Table by default.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-11-2026 05:53 AM
Thank you for your helpful answer. I have no defender admin rights and can't configure the passive mode, but point 3 are really good ideas.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
