Scan an Endpoint for Malware

The Cortex XDR agent can scan your Windows and Mac endpoints and attached removable drives for dormant malware that is not actively attempting to run.
In addition to blocking the execution of malware, the
Cortex
XDR agent can scan your Windows and Mac endpoints and attached removable drives for dormant malware that is not actively attempting to run. The
Cortex
XDR agent examines the files on the endpoint according to the Malware security profile that is in effect on the endpoint (quarantine settings, unknown file upload, etc.) When a malicious file is detected during the scan, the
Cortex
XDR agent reports the malware to
Cortex
XDR
so you can manually take additional action to remove the malware before it is triggered and attempts to harm the endpoint.
You can scan the endpoint in the following ways:
  • System scan
    —Initiate a full scan on demand from
    Endpoints Administration
    for an endpoint. To initiate a system scan, see Initiate a Full Scan from Cortex
    Initiate a Full Scan from Cortex
    .
    .
  • Periodic scan
    —Configure periodic full scans that run on the endpoint as part of the malware security profile. To configure periodic scans, see Add a New Malware Security Profile.
  • Custom scan
    —(
    Windows, requires a
    Cortex
    XDR agent 7.1 or later release
    ) The end user can initiate a scan on demand to examine a specific file or folder. For more information, see the Cortex XDR agent administrator’s guide for Windows.

Initiate a Full Scan from
Cortex

You can initiate full scans of one or more endpoints from either
All Endpoints
table or the
Action Center
. After initiating a scan, you can monitor the progress from
Incident Response
Response
Action Center
. From both locations, you can also abort an in-progress scan. The time a scan takes to complete depends on the number of endpoints, connectivity to those endpoints, and the number of files for which
Cortex
XDR
needs to obtain verdicts.
To initiate a scan from
Cortex
XDR
:
  1. Log in to
    Cortex
    XDR
    .
    Select
    Incident Response
    Response
    Action Center
    +New Action
    .
  2. Select
    Malware Scan
    .
  3. Click
    Next
    .
  4. Select the target endpoints (up to 100) on which you want to scan for malware.
    Scanning is available on Windows and Mac endpoints only.
    Cortex
    XDR
    automatically filters out any endpoints for which scanning is not supported. Scanning is also not available for inactive endpoints.
    If needed,
    Filter
    the list of endpoints by attribute or group name.
  5. Click
    Next
    .
  6. Review the action summary and click
    Done
    when finished.
    Cortex
    XDR
    initiates the action at the next heart beat and sends the request to the agent to initiate a malware scan.
  7. To track the status of a scan, return to the
    Action Center
    .
    When the status is
    Completed Successfully
    , you can view the scan results.
  8. View the scan results.
    After a
    Cortex
    XDR agent completes a scan, it reports the results to
    Cortex
    XDR
    .
    To view the scan results for a specific endpoint:
    1. On
      Action Center
      , when the scan status is complete, right-click the scan action and select
      Additional data
      .
      Cortex
      XDR
      displays additional details about the endpoint.
    2. Right-click the endpoint for which you want to view the scan results and select
      View related security events
      .
      Cortex
      XDR
      displays a filtered list of malware alerts for files that were detected on the endpoint during the scan.

Recommended For You