Use Cortex® XDR™ Agent for Windows

Learn how to effectively use the Cortex® XDR™ agent for Windows by the different options described in this topic.
The Cortex XDR agent installs in the
C:\Program Files (x86)\Palo Alto Networks\Traps
folder. If you enabled access to the console, the agent console is also accessible from the notification area (system tray).
Use the following topics to use and mange the Cortex XDR agent for Windows:
  • Open the Cortex XDR application.
    The console displays active and inactive features by displaying a or to the left of the feature type. Select the
    tab to display additional tabs along the top of the console. The tabs allow you to navigate to pages that display additional details about security events, protected processes, and updates to the security policy. Usually, an end user will not need to run the Cortex XDR console, but the information can be useful when investigating a security-related event. You can choose to hide the tray icon that launches the console, or prevent its launch altogether.
    Use one of the following methods:
    • Browse to
      C:\Program Files\Palo Alto Networks\Traps
      and run the CyveraConsole.exe application.
    • If you enabled access to Cortex XDR from the notification area, double-click the Cortex XDR icon ( ) to launch the agent interface.
  • View status information about the Cortex XDR agent:
    • Advanced Endpoint Protection
      —Displays the overall protection status of the endpoint as enabled if one or more protection features are enabled, or disabled if no protection features are enabled.
      • Anti-Exploit Protection
        —Indicates whether or not exploit prevention rules are active in the endpoint security policy.
      • Anti-Malware Protection
        —Indicates whether restriction or malware protection modules are enabled in the endpoint security policy.
    • Version
      —Displays the Cortex XDR agent version.
    • Connection
      —Displays the connection status and, if connected, includes the server to which the agent is connected.
    • Last Check-in
      —Displays the local time on the endpoint of the last check-in with the server.
  • Manually connect to the server.
    The Cortex XDR agent periodically communicates with the server to send status information and retrieve the latest security policy. The Cortex XDR agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can try to manually connect. This option is available if you do not want to wait for the automated communication interval to become active.
    To initiate a manual check-in with the server,
    Check In Now
    from the home page of the Cortex XDR console. If the agent successfully establishes a connection with the server, the Connection status changes to Connected.
  • View and collect logs.
    • View logs
      Open Log File
      to view logs generated by the Cortex XDR agent. The logs display in your default text editor in chronological order with the most recent logs at the bottom.
    • Collect logs
      Generate Support File
      to collect Cortex XDR logs. After the Cortex XDR agent aggregates the logs, you can inspect or send them as needed. The logs can help you analyze any recent security events or Cortex XDR issues that you encounter. For remote endpoints, you can also retrieve logs from the Action Center.
  • View recent security events that occurred on your endpoint.
    1. Click
      , if necessary, to display additional actions that you can perform from the Cortex XDR console.
    2. Click
      For each event, the Cortex XDR console displays the local
      that an event occurred, the name of the
      that exhibited malicious behavior, the
      that triggered the event, and the mode specified for that type of event (Termination or Notification).
  • System and custom file scans.
    Cortex XDR malware scans on DLLs, executables, and Office files on Windows endpoints can be triggered from the Cortex XDR server, or manually on the endpoint.
    • System Scan
      System scans are initiated from the Cortex XDR sever. You can view the
      System Scan
      progress in your Cortex XDR agent console. However, you cannot control this scan from the endpoint.
    • Custom Scan
      — You can initiate file scanning on demand on your Windows endpoints and get an immediate verdict from WildFire, before the file is ever executed on the endpoint. This ability is enabled by default in the Cortex XDR agent Malware profile settings.
      To initiate a custom scan on the endpoint:
      1. Right-click a file or folder and select
        Scan with Cortex XDR
        You will not see this option if
        End-user initiated local scan
        is disabled on your endpoint.
      2. The Cortex XDR agent console opens and you can see the custom scan in progress and eventually the scan verdict for the file. When a malicious file is detected during the custom scan, the event is reported to Cortex XDR directly and will be visible in the Alerts table table as
        Detected (Scanned)
        . However, it will not appear on the
        tab of the Cortex XDR agent console. If the file is unknown to WildFire, the agent applies Local Analysis.
      You can scan up to 100 items simultaneously. An item can be single file or a single folder, regardless of the number of files within the folder (for example, a folder containing more than 100 files is considered one item by Cortex XDR).
      If you scan an unsupported file type, the Cortex XDR agent console will not show a notification for it, and the file will be considered non-malicious.
  • Change the display language for the Cortex XDR console.
    The Cortex XDR console is localized in the following languages: English, German, French, Spanish, Chinese (traditional and simplified), and Japanese.
    1. Click
      , if necessary, to display additional actions that you can perform from the Cortex XDR console.
    2. Click
    3. Select the display language for Cortex XDR (default is English).
  • Configure proxy communication.
    You can use a proxy server on the endpoint for all communications to and from the endpoint, including the communication between the Cortex XDR agent and Cortex XDR.
    • Define proxy settings explicitly
      —You can define a proxy thorough the operating system
      Network & Internet
      settings, or using the
      command from a command prompt. For example:
      netsh winhttp set proxy proxy-server="
      • <protocol>
        is either http (unsecure) or https (secure) depending on which protocol you use for proxy communication.
      • <proxyserver>
        is the IP address or FQDN for your proxy server.
      • <port>
        is the port number used for communication with the proxy server.
      You can configure Windows to use an unsecure or secure proxy server or you can specify both.
      For example, to use different proxy servers for unsecure and secure proxy communication:
      netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8181"
      You can also specify the same server and same port for both unsecure and secure proxy communication.
      There are three options for this command: You can run the command manually (in a command-prompt as an administrator), you can specify the command in a log-in script, or you can use GPO commands.
    • Retrieve proxy settings through a proxy auto-config (PAC) file
      —Cortex XDR can retrieve automatic proxy settings configured on your endpoint explicitly, in a group policy, or using WPAD. No additional agent settings are required for this use case.
      If the proxy settings on your endpoint are configured via WPAD or a user setup script, when you isolate an endpoint from the network you will also lose connectivity with Cortex XDR server.
  • Persistent notification from agent that your machine can’t access the network. Only when the issue is resolved, the notification does not appear.

Recommended For You