When you first install Cortex XDR for Android, Cortex XDR scans all apps installed on the Android endpoint. For each app Cortex XDR detects, it generates a hash for the file and requests the file verdict from Cortex XDR. If necessary, Cortex XDR queries WildFire for the verdict.
After the initial scan, Cortex XDR inspects apps immediately as they are installed, and as automated or manual scans occur. At regular intervals (by default, every two days), Cortex XDR also rechecks all verdicts with WildFire. For unknown apps, Cortex XDR performs local analysis to determine the likelihood an unknown app is malware, while simultaneously sending the unknown file to Cortex XDR for in-depth analysis. The administrator can configure the behavior for both actions from Cortex XDR in the Malware Security Profile for Android.
The Cortex XDR home page displays the status of anti-malware protection, a numerical summary, and a list of the apps installed on the Android endpoint. Cortex XDR automatically refreshes the summary when it discovers new apps and receives updated or changed verdicts. You can access more information about each app from the home page.
The following categories are used to classify apps:
Blocked—Cortex XDR blocks an app if the app has a Malware verdict as determined by WildFire or local analysis, is blocked by a hash exception policy, or is unknown. To block unknown apps, the administrator must enable Cortex XDR to Block files with unknown verdict in the Malware Security Profile for Android endpoints. When Cortex XDR blocks an app due to a hash exception policy, Cortex XDR shows the app with a Block status.
Allowed—Cortex XDR allows an app to run if the app has a Benign verdict as determined by WildFire or local analysis, or is signed by a trusted signer. The administrator can add signers to the allow list as part of the Malware Security Profile for Android endpoints.
Pending—A pending app is an app that has not yet received an official WildFire verdict. This includes apps for which Cortex XDR has used local analysis to issue a local verdict. Unknown apps are allowed to run only when this feature is enabled in the Cortex XDR policy.
View a summary of app protection status—Go to the home page to see the total number of Blocked Apps, Allowed Apps, and Pending Apps (unknown apps).
View a complete list of installed apps and their statuses—Go to the home page, and in the Related Apps area, tap All.
By default, the Cortex XDR home page orders the apps by the most recent installation date.
Filter apps—Go to the home page, and in the Related Apps area, tap the desired category (Blocked, Allowed, or Pending).
View more details about an app—Go to the home page, and in the Related Apps area, scroll to the desired app and tap it.
Scan apps:
From the home page, open the menu at the top left, and tap Scan.
Tap Scan Now.
Cortex XDR scans all apps and requests verdicts for the apps.
View scan history:
From the home page, open the menu at the top left, and tap Scan.
Tap Scan History.
Cortex XDR displays a history of scans, which includes the date and time the scan ran, and the number of apps identified as malware (red) or as benign (green).
Optionally, to see more details about a scan, tap the desired row in the scan history.
When you attempt to run a malicious app, a blocked app (as defined by a hash exception policy), or an unknown app, Cortex XDR automatically blocks the app from running according to your organization's policy. If your configuration allows it, Cortex XDR can prompt you to ignore the malware verdict and allow the app to run (not recommended). The administrator can also configure Cortex XDR to treat grayware in the same way as it treats malware.
If Cortex XDR identifies a malicious or suspicious (unknown) app, Cortex XDR prompts you with the following actions:
Allow—This option is only exposed if the administrator enabled the Prompt action mode in your Malware Security Profile. The option enables a user to ignore the malware (or unknown) verdict and permit the app to run. Use this option with caution.
Stop—Close the alert window until the next attempt to run the app.
Uninstall—Remove the malware from the Android device by uninstalling the app.