Features Introduced in Cortex XDR Agent 7.0

Describes the new features introduced in Cortex XDR agent 7.0 releases.
Beginning in release 7.0.0, the Traps agent is now the Cortex XDR agent and is supported by the Cortex XDR app.
The following topics describe the new features introduced in Cortex XDR agent 7.0 releases.

Features in Cortex XDR Agent 7.0.3

No new features were introduced in this release.

Features in Cortex XDR Agent 7.0.2

The following topics describe the new features introduced in Cortex XDR agent 7.0.2 release.
Agent Feature
Description
Supporting macOS 10.15.4
You can now install the Cortex XDR agent on Mac endpoints running macOS 10.15.4.
Supporting SuSE 15 SP1 Linux Distribution
You can now install the Cortex XDR agent on Linux endpoints running SuSE 15 SP1 distributions.
For compatibility reasons, when 32-bit support is added to the endpoint, the Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Protection and Brute Force Protection) on 32-bit processes. All other exploit and malware protection modules work as expected.
Enhanced Support for Linux SuSE12 SP5
The Cortex XDR agent protection capabilities on Linux endpoints running SuSE12 SP5 distributions are enhanced with new kernel modules:
  • Anti-malware flow is now synchronous and the agent blocks executed ELF files until a malware verdict is obtained. Local Privilege Escalation protection is also synchronous.
  • Data collection for EDR and behavioral threat protection are supported.

Features in Cortex XDR Agent 7.0.1

The following topics describe the new features introduced in Cortex XDR agent 7.0.1 release according to the different endpoint operating systems.

Windows

Windows Agent Feature
Description
7.0.1-h1 Hotfix
The Cortex XDR agent builds 7.0.1.32749 and 7.0.1.40343 are now replaced with a hotfix build 7.0.1.40472. Installation packages that were generated using the earlier builds can no longer be used to install or register new Cortex XDR agents. Cortex XDR agents that were already installed using the earlier builds will continue to connect to Cortex XDR and receive policy however, we recommend that you upgrade to the latest build containing the hotfix. For additional information, see Cortex XDR Agent 7.0.1-h1 Addressed Issues.
Agent Proxy Settings in WPAD Environments
You can now install the Cortex XDR agent on endpoints that acquire their proxy settings through Web Proxy Auto-Discovery (WPAD) protocol. When the endpoint is set to
Automatically detect settings
in its network configuration, either manually or scripted, the Cortex XDR agent is now able to use the settings as automatically received through the defined PAC file. No additional agent settings are required for this use case.

Mac

There are no new features for Mac in Cortex XDR agent 7.0.1

Linux

There are no new features for Linux in Cortex XDR agent 7.0.1

Features in Cortex XDR Agent 7.0.0

The following topics describe the new features introduced in Cortex XDR agent 7.0 release according to the different endpoint operating systems.

Windows

Windows Agent Feature
Description
7.0.0-h1 Hotfix
The Cortex XDR agent build 7.0.0.27797 is now replaced with a hotfix build 7.0.0.28644. Installation packages that were generated using the earlier build can no longer be used to install or register new Cortex XDR agents. Cortex XDR agents that were already installed using the earlier build will continue to connect to Cortex XDR and receive policy however, we recommend that you upgrade to the latest build containing the hotfix. For additional information, see Cortex XDR Agent 7.0.0-h1 Addressed Issues.
Serverless Content Distribution
To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, the content update algorithm has been enhanced to enable agents on your LAN network to retrieve the new content version from other agents who have already retrieved it. Now within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new content version, it will query other agents twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the new content from other agents in both queries, it will retrieve it from Cortex XDR directly.
Peer-to-peer content distribution is enabled by default in the Agent Settings profile, and requires that you enable UDP and TCP over port 33221 (You can change this port number later on through the Agent Settings profile).
Note: Peer-to-peer content distribution might increase traffic on the organization’s LAN network.
Content Bandwidth Management
You can now configure the bandwidth you want to use to distribute content updates between Cortex XDR and all Cortex XDR agents. When you configure the bandwidth to allocate to your endpoints, you assign a value in Mbps. You can configure content bandwidth management from your
gear.png
Settings
Agent Configuration
.
Device Control of USB-Connected Devices
To protect Windows endpoints from loading malicious files from USB-connected removable devices (CD-ROM, disk drives, floppy disks and portable devices drives), Cortex XDR now provides Device Control. With Device Control, you can configure different policies to manage USB-connectivity on your endpoint. For example, you can:
  • Block all supported USB-connected devices
  • Temporarily block only some USB-connected device types
  • Block a USB-connected device type but whitelist a specific vendor or product from that list and allow it read/write permissions on the endpoint
To apply Device Control to your endpoints, you define Device Control profiles according to the device types, and configure device control policies that apply to Cortex XDR endpoints or endpoint groups.
New Local Analysis Engine
For improved coverage and accuracy, the Cortex XDR local analysis engine on Windows endpoints now uses enhanced machine learning to analyze unknown executable and DLL files at the time of execution and loading.
Customized User Notifications
You can now customize the header and footer of user notifications that the Cortex XDR Agent displays when a security event occurs. You can override the default generic texts to provide your end users with localized messages, support contact info, textual instructions, and more. Customized headers are set in the
User Interface
definitions of the Agent Settings profile and are relevant to the following types of notifications:
  • Exploit/Malware events set to block
  • Restriction events set to block
  • Restriction events set to notify user
You can also customize the notification footer default text. Cortex XDR displays the same footer for all notification types.

Mac

Mac Agent Feature
Description
Customized User Notifications
You can now customize the header and footer of user notifications that the Cortex XDR Agent displays when a security event occurs. You can override the default generic texts to provide your end users with localized messages, support contact info, textual instructions, and more. You can customize the following:
  • Notification header for Exploit/Malware events set to block
  • The notification footer which applies to all notification types.
Customized notifications are set in the
User Interface
definitions of the Agent Settings profile.
Remote Investigation and Remediation with Live Terminal
If an event requires further investigation and remediation, you can initiate a Live Terminal session to the remote Mac endpoint. This enables you to navigate and manage files in the file system, run Bash or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
Retrieve Files Response Action
You can now initiate a response action to Retrieve Files from Mac endpoints with Cortex XDR directly. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the
Action Center
. Cortex XDR retains retrieved files for up to one week.
Content Bandwidth Management
You can now configure the bandwidth you want to use to distribute content updates between Cortex XDR and all Cortex XDR agents. When you configure the bandwidth to allocate to your endpoints, you assign a value in Mbps. You can configure content bandwidth management from your
gear.png
Settings
Agent Configuration
.

Linux

Feature
Description
Remote Investigation and Remediation with Live Terminal
If an event requires further investigation and remediation, you can initiate a Live Terminal session to the remote Linux endpoint. This enables you to navigate and manage files in the file system, run Bash or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
Retrieve Files Response Action
You can now initiate a response action to Retrieve Files from Linux endpoints with Cortex XDR directly. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the
Action Center
. Cortex XDR retains retrieved files for up to one week.
SO Hijacking Protection
Cortex XDR extends Exploit Protection on Linux endpoints to also protect endpoints from SO Hijacking attacks, where the attacker attempts to dynamically load libraries on Linux operating systems from unsecure locations to gain control of a process. Cortex XDR agent blocks this activity and raises a SO Hijacking Protection alert.
The new SO Hijacking Exploit Protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.
Extended Exploit Protection Coverage for Java Deserialization Exploits
Cortex XDR extends Exploit Protection on Linux endpoints to also detect Java deserialization exploits on Java-based servers. The new Exploit Protection module detects attempts to execute malicious code during the Java objects deserialization process. Cortex XDR agent blocks this activity and raises a Suspicious Input Deserialization alert.
The new Java Deserialization Exploit Protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.
Content Bandwidth Management
You can now configure the bandwidth you want to use to distribute content updates between Cortex XDR and all Cortex XDR agents. When you configure the bandwidth to allocate to your endpoints, you assign a value in Mbps. You can configure content bandwidth management from your
gear.png
Settings
Agent Configuration
.

Android

Feature
Description
Rebranded Android App
The Traps app for Android is nowCortex XDR app for Android! The new app is supported with Cortex XDR Prevent, Cortex XDR Pro - Endpoint, and Traps management service. The new app sports a new skin that matches the Cortex XDR theme and provides the same malware prevention capabilities as the previous Traps app.
Content Bandwidth Management
You can now configure the bandwidth you want to use to distribute content updates between Cortex XDR and all Cortex XDR agents. When you configure the bandwidth to allocate to each endpoint, you assign a value in Mbps. You can configure content bandwidth management from your
gear.png
Settings
Agent Configuration
.

Recommended For You