The Cortex XDR agent now includes information about all the Microsoft patches installed on a Windows endpoint, including a link to the Microsoft official Knowledge Base (KB) support article.

When the Cortex XDR agent encounters a file that is unknown to WildFire during an endpoint scan, the agent can now leverage its built-in Cortex XDR Local analysis engine to process the file directly on the endpoint and assign the file a benign or malicious verdict. Local analysis is used in all types of scans: periodic scans, malware scans you initiate from Cortex XDR, and custom scans you initiate from the endpoint. For future reference, the agent also uploads the file to the WildFire service for further analysis.

The local analysis engine for Cortex XDR agents running on Windows endpoints now provides enhanced coverage for Microsoft Office files with macros. When the endpoint user attempts to open an Office file with a macro, and the WildFire verdict for the file is unavailable (if the sample is unknown to WildFire or the endpoint is currently disconnected from Cortex XDR), the Cortex XDR agent will analyze the file using the new advanced machine learning model for local analysis.

You can now extend your Device Control policy rules for Windows endpoints to include custom USB connected device classes beyond Disk Drive, CD-ROM, Portable Devices and Floppy Disk Drives, such as USB connected network adapters. When you create a custom device class, you must provide the official ClassGuid identifier used by Microsoft. Alternatively, if you configured a GUID value to a specific USB connected device, you must use this value for the new device class. After you add a custom device class, you can enforce any device control rules and exceptions on this device class.

The Cortex XDR agent can now proactively apply your malware security policy—such as quarantine and block settings—and enforce them when a post-detection alert is raised. A post-detection alert is raised for activity, files, or processes that were previously thought to be benign but are now—as a result of additional information, analysis, or administrator action—known to be malicious.

For example, if your security policy enables the Cortex XDR agent to block malicious files and processes, the agent can immediately halt running files and processes and block any future attempts to run. If you also enable the Cortex XDR agent to quarantine files, the agent can proactively quarantine detected malware even if it is dormant and not currently running.

After the Cortex XDR agent enforces the security policy, Cortex XDR updates the action from detected to prevented for the corresponding alert.

To protect Mac endpoints from loading malicious files from USB-connected removable devices (CD-ROM, disk drives, and floppy disks), Cortex XDR now extends Device Control to Mac endpoints. With Device Control, you can configure different policies to manage USB-connectivity on your endpoint. For example, you can:

To apply Device Control to your Mac endpoints, you define Device Control profiles according to the device types, and configure device control policies that apply to Cortex XDR endpoints or endpoint groups.

Cortex XDR now provides visibility into Mac endpoints that encrypt their hard drives using FileVault, the Apple built-in encryption tool, through

Endpoints

Disk Encryption Visibility

. Additionally, you can enforce FileVault encryption on the endpoint operating system disk through Cortex XDR, by configuring Disk Encryption profiles and applying them to your Mac endpoints.

The Cortex XDR Disk Encryption profile for Mac can encrypt the endpoint disk, however it cannot decrypt it. You have to perform the decryption manually on the endpoint. If you use an institutional recovery key (IRK) to decrypt the endpoint, you must ensure the key is signed by a valid authority.

To reduce the attacks that occur during network communications on the endpoint, you can now control all inbound communications on your Mac endpoints, using the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block inbound traffic on the endpoint, and apply them to your endpoints using Cortex XDR policy rules.

Cortex XDR enables you to configure different sets of rules according to the current location of the device within the organization network. To fine tune your control over the inbound communication, you can also:

To control inbound communication of your endpoints, Cortex XDR leverages the Mac Application Firewall APIs. The Cortex XDR agent applies the Application Firewall rules on the endpoint according to the settings configured in the Cortex XDR management console.

To apply location based Host Firewall rules on your Mac endpoints, Cortex XDR can now determine whether the Cortex XDR agent is within the organization network or outside also for Mac endpoints. Similarly to the network location test performed for Windows endpoints, Cortex XDR performs a domain controller connectivity test and DNS test to determine whether the Cortex XDR agent is within the organization network or outside.

On macOS endpoints, the Cortex XDR agent can now

Analyze and prevent malicious DMG files from running

. To enable DMG file examination, you configure the new option in your Malware Security profiles. When an unknown DMG file attempts to run, the Cortex XDR agent sends the file to Cortex XDR for analysis by WildFire. The agent can then prevent the DMG from running until it receives the benign verdict for the file.

The Cortex XDR agent now protects your Linux endpoints against PHP webshells. With advanced machine learning algorithms, the new Local Threat-Evaluation Engine (LTEE) analyses PHP scripts to detect webshells. When Local File Threat Examination is enabled in your Malware profile, the Cortex XDR agent creates an alert for any malicious PHP script. You can also set the policy to quarantine malicious PHP files on the endpoint.

You enable Local File Threat Examination in the Malware security proile.

The Cortex XDR agent now protects your endpoint against crypto-mining attacks that could consume the endpoint CPU computing power, as part of the Behavioral threat protection (BTP) module.