The Cortex XDR™ agent protects Linux servers by preventing
known and unknown malware from running by halting any attempts to
leverage software exploits and vulnerabilities to compromise the
server. The agent also extends exploit and malware protection to
processes that run in Linux containers. When you install
the agent on a Linux server that uses containers, it automatically
protects any new and existing containerized processes regardless
of the container solution (for example, docker). Because Cortex
XDR issues the license per Linux server, each container does not
consume any additional licenses.
The protection capabilities and features that the Cortex XDR
agent for Linux enables depend, in part, on your security policy
configuration and the kernel version that is installed. Protection
capabilities such as Behavioral Threat Protection, ELF file analysis,
and endpoint data collection and sharing for EDR all require a supported
kernel version. If you deploy the Cortex XDR agent on a Linux
server that is not running one of the kernel versions required for
these additional protection capabilities, the agent will operate
in asynchronous mode where:
Continuous event monitoring required
for Behavioral Threat Protection is disabled.
Sharing endpoint activity data with Cortex apps is disabled.
ELF file examination occurs in parallel with the file execution.
If the Cortex XDR agent obtains a malware verdict for the ELF file,
it terminates the file execution. Security events for malware in
asynchronous mode are assigned a high severity due to the potential
for continued execution during the verdict request while security
events in synchronous mode are medium severity.
All other exploit and malware protection is enabled per your
Linux security policy.