XDR™ Agent for Windows
Learn how to effectively use the Cortex® XDR™ agent for Windows by the different options described in this topic.
The Cortex XDR agent installs in the
C:\Program Files (x86)\Palo Alto Networks\Trapsfolder. If you enabled access to the console, the agent console is also accessible from the notification area (system tray).
Use the following topics to use and mange the Cortex XDR agent for Windows:
- Open the Cortex XDR application.The console displays active and inactive features by displaying a or to the left of the feature type. Select theAdvancedtab to display additional tabs along the top of the console. The tabs allow you to navigate to pages that display additional details about security events, protected processes, and updates to the security policy. Usually, an end user will not need to run the Cortex XDR console, but the information can be useful when investigating a security-related event. You can choose to hide the tray icon that launches the console, or prevent its launch altogether.Use one of the following methods:
- Browse toC:\Program Files\Palo Alto Networks\Trapsand run the CyveraConsole.exe application.
- If you enabled access to Cortex XDR from the notification area, double-click the Cortex XDR icon ( ) to launch the agent interface.
- View status information about the Cortex XDR agent:
- Advanced Endpoint Protection—Displays the overall protection status of the endpoint as enabled if one or more protection features are enabled, or disabled if no protection features are enabled.
- Anti-Exploit Protection—Indicates whether or not exploit prevention rules are active in the endpoint security policy.
- Anti-Malware Protection—Indicates whether restriction or malware protection modules are enabled in the endpoint security policy.
- Version—Displays the Cortex XDR agent version.
- Connection—Displays the connection status and, if connected, includes the server to which the agent is connected.
- Last Check-in—Displays the local time on the endpoint of the last check-in with the server.
- Manually connect to the server.The Cortex XDR agent periodically communicates with the server to send status information and retrieve the latest security policy. The Cortex XDR agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can try to manually connect. This option is available if you do not want to wait for the automated communication interval to become active.To initiate a manual check-in with the server,Check In Nowfrom the home page of the Cortex XDR console. If the agent successfully establishes a connection with the server, the Connection status changes to Connected.
- View and collect logs.
- View logs—Open Log Fileto view logs generated by the Cortex XDR agent. The logs display in your default text editor in chronological order with the most recent logs at the bottom.
- Collect logs—Generate Support Fileto collect Cortex XDR logs. After the Cortex XDR agent aggregates the logs, you can inspect or send them as needed. The logs can help you analyze any recent security events or Cortex XDR issues that you encounter. For remote endpoints, you can also retrieve logs from the Action Center.
- View recent security events that occurred on your endpoint.
- ClickAdvanced, if necessary, to display additional actions that you can perform from the Cortex XDR console.
- ClickEvents.For each event, the Cortex XDR console displays the localTimethat an event occurred, the name of theProcessthat exhibited malicious behavior, theModulethat triggered the event, and the mode specified for that type of event (Termination or Notification).
- System and custom file scans.Cortex XDR malware scans on DLLs, executables, and Office files on Windows endpoints can be triggered from the Cortex XDR server, or manually on the endpoint.
- Custom Scan— You can initiate file scanning on demand on your Windows endpoints and get an immediate verdict from WildFire, before the file is ever executed on the endpoint. This ability is enabled by default in the Cortex XDR agent Malware profile settings.To initiate a custom scan on the endpoint:
You can scan up to 100 items simultaneously. An item can be single file or a single folder, regardless of the number of files within the folder (for example, a folder containing more than 100 files is considered one item by Cortex XDR).If you scan an unsupported file type, the Cortex XDR agent console will not show a notification for it, and the file will be considered non-malicious.
- Right-click a file or folder and selectScan with Cortex XDR.You will not see this option ifEnd-user initiated local scanis disabled on your endpoint.
- The Cortex XDR agent console opens and you can see the custom scan in progress and eventually the scan verdict for the file. When a malicious file is detected during the custom scan, the event is reported to Cortex XDR directly and will be visible in the Alerts table table asDetected (Scanned). However, it will not appear on theEventstab of the Cortex XDR agent console. If the file is unknown to WildFire, the agent applies Local Analysis.
- Change the display language for the Cortex XDR console.The Cortex XDR console is localized in the following languages: English, German, French, Spanish, Chinese (traditional and simplified), and Japanese.
- Advanced, if necessary, to display additional actions that you can perform from the Cortex XDR console.
- Select the display language for Cortex XDR (default is English).
- Configure proxy communication.You can use a proxy server on the endpoint for all communications to and from the endpoint, including the communication between the Cortex XDR agent and Cortex XDR.
- Define proxy settings explicitly—You can define a proxy thorough the operating systemNetwork & Internetsettings, or using thenetshcommand from a command prompt. For example:netsh winhttp set proxy proxy-server="<protocol>=<proxyserver>:<port>"where:
You can configure Windows to use an unsecure or secure proxy server or you can specify both.For example, to use different proxy servers for unsecure and secure proxy communication:netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8181"You can also specify the same server and same port for both unsecure and secure proxy communication.There are three options for this command: You can run the command manually (in a command-prompt as an administrator), you can specify the command in a log-in script, or you can use GPO commands.
- <protocol>is either http (unsecure) or https (secure) depending on which protocol you use for proxy communication.
- <proxyserver>is the IP address or FQDN for your proxy server.
- <port>is the port number used for communication with the proxy server.
- Retrieve proxy settings through a proxy auto-config (PAC) file—Cortex XDR can retrieve automatic proxy settings configured on your endpoint explicitly, in a group policy, or using WPAD. No additional agent settings are required for this use case.If the proxy settings on your endpoint are configured via WPAD or a user setup script, when you isolate an endpoint from the network you will also lose connectivity with Cortex XDR server.
- Persistent notification from agent that your machine can’t access the network. Only when the issue is resolved, the notification does not appear.
Recommended For You
Recommended videos not found.