11-04-2023 10:37 PM - edited 11-04-2023 10:40 PM
Hi LIVEcommunity,
Is there a way for Cortex XDR to take the cleanest snapshot of windows so there is a point where we can rollback the endpoint after an attack?
Windows has a feature called Volume Shadow Copy Service (VSS) but can Cortex XDR use this after a ransomware attack? What if the VSS is corrupted, how can Cortex XDR protect the VSS and rollback to the cleanest state of the endpoint?
We are trying to compete with other product that has a feature like this, but I cannot find documentation stating how can Cortex XDR accomplish this task.
I hope experts in this community can guide us. Thank you.
- Jim
11-06-2023 02:34 AM
Dear @Jim_Gabales ,
Thank you for reaching out to the Live Community. We do have a feature in Cortex XDR which assist in backup management where we can enable or disable the automatic backup on Windows using VSS.
You can find these settings in policy management> Agent settings> backup management. However, as far as I know we cannot take a backup of the endpoints on the Cortex XDR so that we can restore using it. We can only manage the enabling or disabling of the backup from the Cortex XDR. Thank you.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
11-06-2023 02:34 AM
Dear @Jim_Gabales ,
Thank you for reaching out to the Live Community. We do have a feature in Cortex XDR which assist in backup management where we can enable or disable the automatic backup on Windows using VSS.
You can find these settings in policy management> Agent settings> backup management. However, as far as I know we cannot take a backup of the endpoints on the Cortex XDR so that we can restore using it. We can only manage the enabling or disabling of the backup from the Cortex XDR. Thank you.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
11-15-2023 07:08 AM
Hello @abdrahman , I was looking at this new feature "Backup Management" and you explained that it works with the VSS.
However, I listed the VSS writers and I do not see a Writer "Cortex XDR".
Does it mean that the shadow copy driven by the agent has not been write ?
I checked the Agent Settings profile and I can see that the option is Enabled.
How can I check on the endpoint that the backup has been made by the agent ?
Regards,
Benjamin
11-15-2023 07:48 AM
I see, but can we automate the part of restoring it using the enabled shadowcopy? we have a remediation suggestion feature "restoring files", right? Will it trigger the shadow copy to be restored?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
