Changes to Default Behavior

Changes to Default Behavior in Cortex XDR 7.0 releases.
The following topics describe changes to default behavior in Cortex XDR agent 7.0 releases:

Changes to Default Behavior in Cortex XDR Agent 7.0.3

There are no changes to default behavior in this release.

Changes to Default Behavior in Cortex XDR Agent 7.0.2

Feature
Change to Behavior
Upgrade Path from ESM to Cortex XDR
Due to the latest changes in the Cortex XDR agent certificate for Windows, the agent upgrade path from the Endpoint Security Manager (ESM) has changed. To upgrade a Traps agent prior to the 4.2.6 release to a Cortex XDR agent 7.0.0 or later releases, you must perform the following:
  1. First, upgrade your agent to Traps 4.2.6.
  2. Then, upgrade the Traps 4.2.6 agent to Cortex XDR agent 7.0.0
  3. Finally, upgrade the Cortex XDR 7.0.0 agent to any agent release from 7.0.0 onwards.
If you are using a third party tool to perform your upgrades, you can upgrade a Traps agent prior to the 4.2.6 release directly to any release of the Cortex XDR agent.

Changes to Default Behavior in Cortex XDR Agent 7.0.1

Feature
Change to Behavior
Random Selection of App-specific Proxy
If your Cortex XDR agents communicate with the Cortex XDR server through app-specific proxies, now the proxy server for each communication is selected from the list of proxies randomly with equal probability, rather than according to their order of definition.

Changes to Default Behavior in Cortex XDR Agent 7.0

Feature
Change to Behavior
Enabling Password Theft Protection by Default
Now when you configure a new Malware security profile for the Cortex XDR agent, the Password Theft Protection Module module is
Enabled
by default for all Traps and Cortex XDR agents managed by Cortex XDR 2.0
When
Enabled
, the Cortex XDR agent silently prevents attacks that use the Mimikatz tool to extract passwords from memory (no notifications are provided when these events occur).
Cortex XDR 2.0 support starts with the specified agent version for each release: Traps agent 5.09, Traps agent 6.1.4, and Cortex XDR agent 7.0.0
Immediate Response Actions Over Web Socket
Now when you perform the following response actions in Cortex XDR, they will be executed immediately on the endpoint through a web socket that is maintained between the Cortex XDR server and the Cortex XDR agent:
  • Quarantine file and restore file
  • Terminate process
  • Isolate endpoint and cancel endpoint isolation
  • Initiate Live Terminal
  • Set endpoint proxy disable endpoint proxy
  • Retrieve endpoint files
  • Retrieve security event data
  • Retrieve support file
If the web socket communication fails, the action will be executed on the next successful Cortex XDR agent heartbeat. You can use Cytool to display the current websocket connection status by running the
cytool websocket
command on the endpoint.
Agent Upgrade and Uninstall Process
The process to upgrade and uninstall the agent has been modified to not require an uninstall password. If you run these processes manually on the endpoint, either locally on the endpoint or using a software management tool like SCCM, you must disable the agent's security protection on the endpoint either using Cytool or by applying and Agent Settings profile that disables service protection.
To disable protection using Cytool, run the
cytool protect disable
command. If you are upgrading from Traps agent 6.1, you must also manually disable the anti-tampering capability by running the
cytool ppl disable
command.
After you disable protection, you can proceed to uninstall or upgrade your Traps agent.
If you upgrade or uninstall the Traps agent from Traps management service, no change is reflected.
Agent Protection Initialization
In this version, changes have been made affecting the minimal amount of time it takes for an agent to initialize protections on the endpoint:
  • When a new agent is downloading content for the first time, it will be unprotected in the time in between activation and until it retrieves its first content from a peer agent (this may take up to 10 minutes). This applies to Windows endpoints and new VDI sessions.
  • When you upgrade a Windows Traps agent to the Cortex XDR 7.0 agent, it will be able to use all its protection capabilities apart from the local analysis of EXE and DLL files for a maximal period of time of 6 hours.
Agent Installation for Citrix App Layering
Due to a Citrix App Layering limitation, you must install the Cortex XDR agent on the OS layer according to this flow to enable the Cortex XDR agent provide full protection to your endpoints:
  1. Install the Cortex XDR agent on OS layer during App Layering image preparation process, as a Terminal session, VDI or Standard installation.
    Cortex XDR agent installations on the Application layer or User layer are not supported.
  2. Before you finalize the OS layer, stop the Cortex XDR agent with the
    Cytool runtime stop
    command.
  3. Delete the
    c:\ProgramData\Cyvera\LocalSystem\Download\content
    folder.
  4. Delete the
    c:\ProgramData\Cyvera\LocalSystem\Persistence\cloud_frontend_db
    folder.
  5. Add the following entry to the Registry:
    HKLM\SYSTEM\CurrentControlSet\Services\Unirsd\ExcludeKey [REG_SZ] = "\Registry\Machine\System\Cyvera"
  6. Do not boot up the OS layer before it is finalized.

Recommended For You