Changes to Default Behavior in Cortex XDR Agent 7.7
The following topic describes changes to default behavior
in Cortex XDR agent 7.7.
Change to Behavior
To support the Benign with Low Confidence
verdict, a new field was added to the WildFire verdict local database.
As a result, when you upgrade a Cortex XDR agent release prior to
7.6 to a Cortex XDR agent 7.5, the local WildFire cache is deleted,
which could increase the number of initial WildFire queries on the
endpoint after upgrade.
Retaining Cortex XDR extensions in macOS
To comply with the new operating system
behavior starting with macOS 11.3, where uploading a configuration
file in MDM automatically unloads from the endpoint any previously
uploaded extensions by the same vendor, the Cortex XDR agent 7.6
and later retains its extensions on the endpoint in such cases.
Aggregated pop-up for Agent Uninstall
To improve user experience, now when you uninstall
the Cortex XDR agent from endpoints running macOS 10.15.4 or later,
you are prompted only once to enter your admin password.
Reverse Shell Protection
Starting with this release, if the Cortex
XDR agent is operating in asynchronous mode then Reverse
Shell Protection is not supported. For more information on supported
kernel modules, see the Palo Alto Networks Compatibility Matrix.
New process XDR Health improves upgrade
process of the Cortex XDR agent
To improve the upgrade process of the Cortex
XDR agent, Cortex XDR now uses a new process called “XDR Health”
to monitor the machine at startup time and initiate an upgrade rollback
in case of a failed upgrade. This new service runs as the machine
starts and checks if the installer has paused. If it has, the machine
re-initiates the Windows installer to rollback to the status prior
to the upgrade. As upgrades have multiple re-tries, the next try works
on the agent of its original version with no interference. The service
only runs at startup and remains in pause mode during other times.
To ensure this service is not removed, a periodic task would re-instate the
process in case it was removed.
Signed Cortex XDR Agent Installation for
To better secure your Cortex XDR agent installations
on Linux machines, installation packages are now signed by Palo
Alto Networks. The installation package contains a new configuration
file which includes the tenant ID and registration key. When installing
the agent installation package, if signature-checking is configured,
you will need to install a Cortex XDR public key.