Cortex XDR Supported Kernel Module Versions by Distribution
To enable full endpoint protection features on Linux endpoints, you must use a supported Linux kernel version.
On Linux endpoints, to perform malware analysis of ELF files and collect data for EDR and behavioral threat analysis, the Cortex XDR agent requires a supported kernel version of 3.4 or later. If you deploy the Cortex XDR agent on a Linux server that is not running one of the kernel versions required for these additional protection capabilities, the agent will operate in
asynchronous mode, where:
- Continuous event monitoring required for Behavioral Threat Protection is disabled.
- Sharing endpoint activity data with Cortex apps is disabled.
- ELF file examination and Local Privilege Escalation (LPE) examination occur in parallel with the file execution. If the Cortex XDR agent obtains a malware verdict for the file, it terminates the file execution. Security events for malware in asynchronous mode are assigned a high severity due to the potential for continued execution during the verdict request while security events in synchronous mode are medium severity.
- All other exploit and malware protection is enabled per your Linux security policy.
For Cortex XDR agents 7.1 and later releases, in addition to deploying on a supported kernel version, you must ensure it is possible to load third party modules by disabling UEFI SecureBoot. Otherwise, the Cortex XDR agent will operate in asynchronous mode.
Beginning in Cortex XDR agent 7.1, changes to the kernel module versions are distributed with content updates. In earlier Cortex XDR agent releases, changes to the kernel module versions are distributed with the agent releases.
Latest Kernel Module Version Support
Cortex XDR agent 7.1 and later versions support the following kernel module versions as of content update 168-51959.
Supported Kernel Versions
Recommended For You
Recommended videos not found.