When you first install Cortex XDR for Android, Cortex XDR scans all apps installed on the Android endpoint. For each app Cortex XDR detects, it generates a hash for the file and requests the file verdict from Cortex XDR. If necessary, Cortex XDR queries WildFire for the verdict.
After the initial scan, Cortex XDR inspects apps immediately as they are installed, and as automated or manual scans occur. For unknown apps, Cortex XDR performs local analysis to determine the likelihood an unknown app is malware while simultaneously sending the unknown file to Cortex XDR for in-depth analysis. You can configure the behavior for both actions from Cortex XDR in the Malware Security Profile for Android.
Use the app to perform the following tasks:
View all apps.
The Cortex XDR home page displays the status of anti-malware protection and each app that is installed on the Android endpoint. The summary area displays the total number of Blocked, Allowed, and Pending (unknown) apps. The summary automatically refreshes as Cortex XDR discovers new apps and receives updated or changed verdicts.
Cortex XDR identifies apps as one of the following categories:
Blocked—Cortex XDR blocks an app if the app has a Malware verdict as determined by WildFire or local analysis, is blocked by a hash exception policy, or is unknown. To block unknown apps, you must enable Cortex XDR to Block files with unknown verdict in your Malware Security Profile for Android endpoints. When Cortex XDR blocks an app due to a hash exception policy, Cortex XDR shows the app with a Block status.
Allowed—Cortex XDR allows an app to run if the app has a Benign verdict as determined by WildFire or local analysis, or is signed by a trusted signer. You can whitelist signers as part of your Malware Security Profile for Android endpoints.
Pending—A pending app is an app that has not yet received an official WildFire verdict. This includes apps for which Cortex XDR has used local analysis to issue a local verdict. Unknown apps are allowed to run only when this feature is enabled in the Cortex XDR policy.
By default, the Cortex XDR home page orders the apps by most recent.
To view the full list of apps, select VIEW MORE.
Filter and sort apps.
The Cortex XDR home page displays a summary of recent apps that have attempted to run on your endpoint. To easily jump to a filtered view by the app category (Blocked, Allowed, or Pending), you can tap the app category. From the Apps page, you can also sort the results by date (most recent or oldest) or app name (A to Z or Z to A). Sorting only applies to the app categories that you select.
Filter by app category
From the Summary page, you can view the total number for the app category. For example, select the number of Blocked apps to view only blocked apps. Cortex XDR filters the results to display the results for the category of your choice.
To restore results, select the excluded app categories (the categories which are unavailable).
Sort by date
From the Apps page, select the menu in the top right.
Select Sort by.
Select either Date (Most recent) or Date (Oldest).
Cortex XDR sorts the results based on the sort date of your choice.
Sort by name
From the Apps page, select the menu in the top right.
Select Sort by.
Select either App name (A to Z) or App name (Z to A).
Cortex XDR sorts the results alphabetically based on your selection.
Scan apps.
From the Scans page in the app, you can review scan history and can initiate a new scan. When you first install Cortex XDR for Android, the app scans all user-installed apps on the endpoint. When Cortex XDR detects a new app, Cortex XDR requests the verdict from WildFire, optionally performs local analysis to determine the likelihood of malware, and allows or blocks the app based on your policy configuration. At regular intervals (by default, every 14 days), Cortex XDR also rechecks all verdicts with WildFire.
From the Summary page, select the Cortex XDR menu at the top left.
Select → .
Cortex XDR scans all apps and requests verdicts for the apps. Cortex XDR also displays a history of scans which includes the date and time the scan ran, and the number of apps identified as malware or as benign.
Take action on malware, blocked apps, and unknown files.
When you attempt to run a malicious app, a blocked app (as defined by a hash exception policy), or an unknown app, Cortex XDR automatically blocks the app from running. If your configuration allows it, Cortex XDR can prompt you to ignore the malware verdict and allow the app to run (not recommended). You can also configure Cortex XDR to treat grayware the same as it does malware.
If Cortex XDR identifies a malicious or suspicious (unknown) app, Cortex XDR stops the app from running on the Android endpoint, and prompts you with the following actions:
ALLOW—This option is exposed only if you enable the Prompt action mode in your Malware Security Profile. The option enables a user to ignore the malware (or unknown) verdict and permit the app to run. Use this option with caution.
STOP—Close the alert window until the next attempt to run the app.
UNINSTALL—Remove the malware from the Android endpoint by uninstalling the app.