To install, use, and uninstall the Cortex® XDR™ agent
7.3 on Linux endpoints, see the references in this topic.
The Cortex® XDR™ agent protects Linux servers by preventing
known and unknown malware from running by halting any attempts to
leverage software exploits and vulnerabilities to compromise the
server. The agent also extends exploit and malware protection to
processes that run in Linux containers. When you install
the agent on a Linux server that uses containers, it automatically
protects any new and existing containerized processes regardless
of the container solution (for example, docker). Because Cortex
XDR issues the license per Linux server, each container does not
consume any additional licenses.
The protection capabilities and features that the Cortex XDR
agent for Linux enables depend, in part, on your security policy
configuration and the kernel version that is installed. Protection
capabilities such as Behavioral Threat Protection, ELF file analysis,
and endpoint data collection and sharing for EDR all require a supported kernel version.
If you deploy the Cortex XDR agent on a Linux server that is not
running one of the kernel versions required for these additional
protection capabilities, the agent will operate in asynchronous
Continuous event monitoring required
for Behavioral Threat Protection is disabled.
Sharing endpoint activity data with Cortex apps is disabled.
ELF file examination and Local Privilege Escalation (LPE) examination
occur in parallel with the file execution. If the Cortex XDR agent
obtains a malware verdict for the file, it terminates the file execution.
Security events for malware in asynchronous mode are assigned a
high severity due to the potential for continued execution during
the verdict request while security events in synchronous mode are
All other exploit and malware protection is enabled per your
Linux security policy.