Scan an Endpoint for Malware

The Cortex XDR agent can scan your Windows and Mac endpoints and attached removable drives for dormant malware that is not actively attempting to run.

In addition to blocking the execution of malware, the Cortex XDR agent can scan your Windows and Mac endpoints and attached removable drives for dormant malware that is not actively attempting to run. The Cortex XDR agent examines the files on the endpoint according to the Malware security profile that is in effect on the endpoint (quarantine settings, unknown file upload, etc.) When a malicious file is detected during the scan, the Cortex XDR agent reports the malware to Cortex XDR so you can manually take additional action to remove the malware before it is triggered and attempts to harm the endpoint.

You can scan the endpoint in the following ways:

System scan
—Initiate a full scan on demand from

Endpoints Administration

for an endpoint. To initiate a system scan, see Initiate a Full Scan from Cortex

Initiate a Full Scan from Cortex

Periodic scan
—Configure periodic full scans that run on the endpoint as part of the malware security profile. To configure periodic scans, see Add a New Malware Security Profile.

Custom scan
—(Windows, requires a Cortex XDR agent 7.1 or later release) The end user can initiate a scan on demand to examine a specific file or folder. For more information, see the Cortex XDR agent administrator’s guide for Windows.

Initiate a Full Scan from `Cortex`

You can initiate full scans of one or more endpoints from either

All Endpoints

table or the

Action Center

. After initiating a scan, you can monitor the progress from

Incident Response

Response

Action Center

. From both locations, you can also abort an in-progress scan. The time a scan takes to complete depends on the number of endpoints, connectivity to those endpoints, and the number of files for which Cortex XDR needs to obtain verdicts.

To initiate a scan from Cortex XDR:

Select

Incident Response

Response

Action Center

+New Action

Select

Malware Scan

Click

Select the target endpoints (up to 100) on which you want to scan for malware.

Scanning is available on Windows and Mac endpoints only. Cortex XDR automatically filters out any endpoints for which scanning is not supported. Scanning is also not available for inactive endpoints.

If needed,

Filter

the list of endpoints by attribute or group name.

Click

Review the action summary and click

Done

when finished.

Cortex XDR initiates the action at the next heart beat and sends the request to the agent to initiate a malware scan.

To track the status of a scan, return to the

Action Center

When the status is

Completed Successfully

, you can view the scan results.

View the scan results.

After a Cortex XDR agent completes a scan, it reports the results to Cortex XDR.

To view the scan results for a specific endpoint:

Action Center

, when the scan status is complete, right-click the scan action and select

Additional data

Cortex XDR displays additional details about the endpoint.

Right-click the endpoint for which you want to view the scan results and select

View related security events

Cortex XDR displays a filtered list of malware alerts for files that were detected on the endpoint during the scan.

Document:Cortex® XDR Pro Administrator’s Guide

Scan an Endpoint for Malware

Scan an Endpoint for Malware

Initiate a Full Scan from `Cortex`

Recommended For You

Document:Cortex® XDR Pro Administrator’s Guide

Scan an Endpoint for Malware

Scan an Endpoint for Malware

Initiate a Full Scan from Cortex

Recommended For You

Recommended Videos

Initiate a Full Scan from `Cortex`