This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

susekar
L4 Transporter

‎02-10-2026 06:00 AM

Hello @goenuel.trautmann.sp ,

 

Greetings for the day.

 

To trigger Cortex XDR detection capabilities without Windows Defender interfering—which can cause a "race condition" where Defender quarantines the file first—you must ensure that Windows Defender is running in Passive Mode.

 

1. Verify Current Microsoft Defender Mode

Before testing, confirm the current running mode of Windows Defender by executing the following command in an elevated PowerShell session:

Get-MpComputerStatus | select AMRunningMode

  • Active Mode: Defender attempts to block or quarantine threats before Cortex XDR can respond.

  • Passive Mode: Defender provides telemetry but does not provide real-time protection, allowing Cortex XDR to handle detection and prevention.

2. Configure Passive Mode

The method depends on the operating system:

Windows Workstations (10/11):
Cortex XDR typically registers as the primary antivirus in the Windows Security Center (WSC). This integration causes WSC to automatically switch Microsoft Defender to passive or disabled mode. Ensure the Windows Security Center Integration setting is enabled in the Cortex XDR Agent Settings Profile.

Windows Servers:
Windows Server OS does not automatically set Defender to passive mode when a third-party AV is registered. You must manually force Passive Mode by modifying the registry and restarting the server:

  • Registry Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\AM\

  • Value Name: ForceDefenderPassiveMode

  • Type: REG_DWORD

  • Data: 1

3. Recommended Detection Tests

Once Passive Mode is confirmed, you can trigger XDR alerts using the following methods:

  • WildFire Test File: Download and attempt to execute a WildFire test PE file. This triggers malware detection alerts without using a real virus.
    (https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analy...)

  • Malware Test PE File: Generic malware test PE files generate alerts in XDR. EICAR tests may fail if Defender is not fully suppressed.

  • Anti-Ransomware Test: Simulate ransomware behavior by copying powershell.exe with a different name and attempting to modify files in protected "honeypot" directories.

4. Troubleshooting Missing Alerts

If a test does not generate an alert, check the following:

  • Ensure XDR Pro Capabilities are enabled in the agent settings to collect file, process, and network telemetry.

  • Verify the Malware Profile has On-write File Examination and Quarantine malicious executables enabled.

  • Check for Informational (Severity 0) alerts, as these may be hidden from the main Alert Table by default.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks