1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR™ Agent Release Notes
    5. Cortex® XDR™ Agent 7.3 Release Information
    6. Features Introduced in Cortex® XDR™ Agent 7.3
    End-of-Life (EoL)

    Features Introduced in Cortex® XDR™ Agent 7.3

    Describes the new features introduced in Cortex XDR agent 7.3 releases.
    The following topics describe the new features introduced in Cortex XDR agent 7.3 releases according to the supported agent operating systems.

    Features Introduced in Cortex XDR Agent 7.3.5

    There are no new features in this release.

    Features Introduced in Cortex XDR Agent 7.3.4

    There are no new features in this release.

    Features Introduced in Cortex XDR Agent 7.3.3

    There are no new features in this release.

    Features Introduced in Cortex XDR Agent 7.3.2

    There are no new features in this release.

    Features Introduced in Cortex XDR Agent 7.3.1

    The following features were introduced in Cortex XDR agent 7.3.1
    Feature
    Change to Behavior
    Microsoft Exchange Vulnerability Protection
    (
    Requires a Cortex XDR agent 7.3.1, and PTU 171-54296 or PTU 172-54529
    )
    Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
    The Cortex XDR agent provides additional coverage to identify and block zero-days-attacks associated with CVE-2021-26855. Two new behavioral threat protection alerts have been added to address these exploitation attempts:
    • Sync.exchange_cve_2021_26855_unpatched_server
      —When using PTU 171-54296, this rule reports of unpatched endpoints that are attacked so you can proceed to patch them and mitigate the risk. Palo Alto Networks strongly recommends that you do not disable these notifications until your endpoint is patched, or you applied the suggested Microsoft Workaround. When using PTU 172-54529 or a later release, this rule blocks the attack on the endpoint. Due to a current known issue, Cortex XDR still displays the alert as
      Detected (Reported)
      , however the attack is actually Blocked. The content version at time of event is very important for the distinction of a reported only or prevented attack.
    • Sync.exchange_cve_2021_26855_patched_server
      —Reports of already patched endpoints where an exploitation attempt took place but failed since the machine is patched. This alert is designed to inform you that your endpoint was targeted and requires no immediate action. You can disable this alert directly from Cortex XDR if you are no longer interested in receiving it.
    To enable the Cortex XDR agent generate the alerts, follow these steps:
    1. Ensure Behavioral Threat Protection (BTP) rules are enabled in your Malware Security Profile.
    2. Verify the content version number on the endpoint is either PTU 171-54296, or PTU 172-54529 and later. You can do so either from the
      Endpoint Administration
       page, or by running the
      cytool info query
       command on the endpoint. Otherwise, if the content number is different, perform check-in from the Cortex XDR agent console to retrieve latest PTU version.
    3. Check the Cortex XDR agent version running on the endpoint. If the agent has already been upgraded to 7.3.1, you must restart the Cortex XDR agent so when the
      w3wp
       process is launched, the new policy is already in place and applied. Otherwise, if the agent version running on the endpoint is 7.3 or earlier, proceed to upgrade to the Cortex XDR agent to the 7.3.1 release and no agent restart is needed.
    4. Restart Microsoft Internet Information Services (IIS) on the endpoint using the
      iisreset
       command on the endpoint. The Cortex XDR agent rules work only with the default installation paths for Exchange server and IIS
    5. The new BTP rules are applied by default.
    6. For your patched endpoints, you can stop receiving alerts by right-clicking an alert generated by the
      sync.exchange_cve_2021_26855_patched_server
       rule in Cortex XDR and selecting
      Exclude Alert
      .
    For more information on Cortex XDR coverage, see the Palo Alto Networks Security Operations blog.
    Remote Malicious Causality Chains Response for IPv6 Network Connections
    (
    Windows
    )
    This feature will be enabled in mid-March 2021 with the Cortex XDR management console 2.8 release.
    This Cortex XDR agent release will be able to respond to remote malicious causality chains and block IP network connections made via IPv6 network interfaces, in addition to IPv4. For more information, refer to Add a New Malware Security Profile.

    Features Introduced in Cortex XDR Agent 7.3

    Windows Features

    Feature
    Description
    Unpatched Vulnerabilities Protection (Windows)
    (
    Requires a Cortex XDR agent 7.1 or a later version
    )
    Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more information, refer to the Microsoft Security Response Center.
    For Cortex XDR agents 7.1 and later releases running on unpatched Windows endpoints, a new capability in the Exploit Security profile will modify IP4 and IPv6 settings temporarily on the endpoint as a workaround to protect unpatched endpoints from these known vulnerabilities. After the endpoint is patched with a fix for these vulnerabilities, the Cortex XDR agent automatically reverts all modified Windows system settings to their values before modification.
    Before applying this workaround on your endpoints, refer to the Cortex XDR Administrator’s Guide for the full details and impact this workaround could have on your network.
    Remote Malicious Causality Chains Response
    When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint.
    You can view the list of all blocked IP addresses per endpoint from the Cortex XDR
    Action Center
    , as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only.
    When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
    Live Terminal Enhancements (Windows and Mac)
    To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
    Enhanced Local Analysis Prevention
    The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features.
    The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
    Vulnerable Drivers Protection
    Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates.
    To configure vulnerable drivers protection, you must enable
    Behavioral Threat Protection
     and configure the
    Action mode for vulnerable drivers protection
     as part of a Malware Security Profile.
    By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default (
    Block
    ), you can
    Report
     (and allow) vulnerable drivers or disable the module. If needed, you can also configure exceptions to allow specific drivers to run.
    Device Control for VDI
    Cortex XDR now extends Device Control policy for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact.
    Note the following limitations:
    • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.
    • The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.
    Extended Device Control to Read-Only Disk Drives (Windows and Mac)
    (
    Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints
    )
    You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.

    Mac Features

    Feature
    Description
    Network Isolation of Endpoints (macOS 10.15.4 and later)
    Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR.
    Note the following limitations:
    • If during isolation you need the Cortex XDR agent to communicate with an application or proxy, add the process to the Network Isolation Allow List Network Isolation Allow List.
    • To ensure that an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
    Search and Destroy Malicious Files on Endpoints (macOS 10.15.4 and later)
    (
    Requires a Cortex XDR Pro per Endpoint license and Host-Insights Add-on
    )
    Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
    Live Terminal Enhancements (Windows and Mac)
    To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
    Extended Device Control to Read-Only Disk Drives (Windows and Mac)
    (
    Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints
    )
    You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
    Peer-to-Peer Content Distribution (Mac and Linux)
    Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
    Agent Installation Using a Unified Configuration Profile File for MDMs
    For a seamless installation of the Cortex XDR agent that does not require end user interaction, Palo Alto Networks now provides a unified configuration profile that you can upload to any third party deployment software of your choice. You can download a configuration profile already signed by Palo Alto Networks, or an unsigned configuration profile, if you prefer or are required to sign using your own signing certificate. You can use the unified configuration profile to deploy any version of the Cortex XDR agent. For more information, refer to Install the Cortex XDR Agent Using a Unified Configuration Profile for MDMs.

    Linux Features

    Feature
    Description
    Peer-to-Peer Content Distribution (Mac and Linux)
    Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
    Custom Agent Installation Directory
    You can now install your Cortex XDR agent in a custom directory on the endpoint instead of using the default
    ./opt
     directory. To do this, set the custom path in a new installation variable
    --install-path=/
    <some/path>
    . After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location.
    New Operating Systems Support
    You can now install the Cortex XDR agent on Linux endpoints that are running on:
    • Debian 10, OpenSuse Leap 15.1, or SUSE 15 SP2.
    • Ubuntu Server 16, Ubuntu Server 18, and Ubuntu Server 20 with AWS kernel modules.
    For all supported kernel versions, see the Latest kernel module version support
    .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo