Changes to Default Behavior
Changes to Default Behavior in Cortex XDR 7.0 releases.
The following topics describe changes to default behavior in Cortex XDR agent 7.0 releases:
Changes to Default Behavior in Cortex XDR Agent 7.0.3
There are no changes to default behavior in this release.
Changes to Default Behavior in Cortex XDR Agent 7.0.2
Change to Behavior
Upgrade Path from ESM to Cortex XDR
Due to the latest changes in the Cortex XDR agent certificate for Windows, the agent upgrade path from the Endpoint Security Manager (ESM) has changed. To upgrade a Traps agent prior to the 4.2.6 release to a Cortex XDR agent 7.0.0 or later releases, you must perform the following:
If you are using a third party tool to perform your upgrades, you can upgrade a Traps agent prior to the 4.2.6 release directly to any release of the Cortex XDR agent.
Changes to Default Behavior in Cortex XDR Agent 7.0.1
Change to Behavior
Random Selection of App-specific Proxy
If your Cortex XDR agents communicate with the Cortex XDR server through app-specific proxies, now the proxy server for each communication is selected from the list of proxies randomly with equal probability, rather than according to their order of definition.
Changes to Default Behavior in Cortex XDR Agent 7.0
Change to Behavior
Enabling Password Theft Protection by Default
Now when you configure a new Malware security profile for the Cortex XDR agent, the Password Theft Protection Module module is
Enabledby default for all Traps and Cortex XDR agents managed by Cortex XDR 2.0
Enabled, the Cortex XDR agent silently prevents attacks that use the Mimikatz tool to extract passwords from memory (no notifications are provided when these events occur).
Cortex XDR 2.0 support starts with the specified agent version for each release: Traps agent 5.09, Traps agent 6.1.4, and Cortex XDR agent 7.0.0
Immediate Response Actions Over Web Socket
Now when you perform the following response actions in Cortex XDR, they will be executed immediately on the endpoint through a web socket that is maintained between the Cortex XDR server and the Cortex XDR agent:
If the web socket communication fails, the action will be executed on the next successful Cortex XDR agent heartbeat. You can use Cytool to display the current websocket connection status by running the
cytool websocketcommand on the endpoint.
Agent Upgrade and Uninstall Process
The process to upgrade and uninstall the agent has been modified to not require an uninstall password. If you run these processes manually on the endpoint, either locally on the endpoint or using a software management tool like SCCM, you must disable the agent's security protection on the endpoint either using Cytool or by applying and Agent Settings profile that disables service protection.
To disable protection using Cytool, run the
cytool protect disablecommand. If you are upgrading from Traps agent 6.1, you must also manually disable the anti-tampering capability by running the
cytool ppl disablecommand.
After you disable protection, you can proceed to uninstall or upgrade your Traps agent.
If you upgrade or uninstall the Traps agent from Traps management service, no change is reflected.
Agent Protection Initialization
In this version, changes have been made affecting the minimal amount of time it takes for an agent to initialize protections on the endpoint:
Agent Installation for Citrix App Layering
Due to a Citrix App Layering limitation, you must install the Cortex XDR agent on the OS layer according to this flow to enable the Cortex XDR agent provide full protection to your endpoints:
Recommended For You
Recommended videos not found.