Changes to Default Behavior

The following topics describe changes to default behavior in Cortex® XDR™ agent 7.2 releases.

Changes to Default Behavior in Cortex XDR Agent 7.2.4

Feature
Change to Behavior
Support Search and Destroy in VDI sessions (Windows)
If you plan to use the file Search and Destroy response action in your non-persistent VDI session, you must first run the following scan and query commands at the Golden Image creation stage:
cytool file_system_scan start
cytool file_system_scan query
For more information about Cytool, see the Cortex XDR Agent Administrator’s Guide.
Additional logs
Additional logs have been added for agents running on Windows and macOS endpoints to indicate more clearly that scanning is in progress.

Changes to Default Behavior in Cortex XDR Agent 7.2.3

There are no changes to default behavior in this release.

Changes to Default Behavior in Cortex XDR Agent 7.2.2

There are no changes to default behavior in this release.

Changes to Default Behavior in Cortex XDR Agent 7.2.1

Feature
Change to Behavior
Full Native Support for Apple’s Deprecation of Kernel Extensions
In this release, the Cortex XDR agent deploys a new Network extension that monitors network traffic on the endpoint. Together with the existing System extension, they provide full coverage of the endpoint traffic and replace the deprecated Kernel extension in macOS 10.15.4 and later releases.
On endpoint running macOS versions earlier than 10.15.4, the Cortex XDR agent leverages the Kernel extension to monitor network events.
When the Cortex XDR agent 7.2.1 first boots on the endpoint, the operating system prompts the user to allow the agent to filter all network content on the endpoint. The user must approve this option otherwise the Cortex XDR agent will not be able to monitor the network traffic. If you are using JAMF Pro to deploy the agents in your networks, you can suppress this operating system prompt by uploading a configuration file provided by Palo Alto Networks. For the full installation process, refer to the Cortex XDR Agent Administrator’s Guide for Mac.

Changes to Default Behavior in Cortex XDR Agent 7.2

Feature
Change to Behavior
Future Native Support for Apple’s Deprecation of Kernel Extensions
In line with Apple’s efforts to improve security in the upcoming macOS 11.0 Big Sur release, which include the deprecation of kernel extensions by 3rd party providers, the Cortex XDR agent 7.1 and later releases are transitioning to fully support the new operating system requirements. Starting already with macOS 10.15.4, the Cortex XDR agent no longer uses the kernel extension. Instead, the agent is designed to deploy a new Network extension and the existing System extension that together provide full coverage of the endpoint traffic, and replace the deprecated kernel extension.
During the transitioning period of both the Cortex XDR agent and the operating system, the Cortex XDR agent does not monitor the network traffic on the endpoint, and cannot report network events back to Cortex XDR. Consequently, BIOC and BIOC to Behavioral threat protection (BTP) rules you have for network events will not work, and you will not be able to query about network events in the Query builder. The agent fully supports all other data collection and security capabilities on the endpoint.
For the full installation procedure of the Cortex XDR 7.1 agent and later releases on Mac endpoints running macOS 10.15.4, refer to the Cortex XDR agent administrator guide.

Recommended For You