Use Cortex XDR Agent for Windows - Administrator Guide - 8.3 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Cortex XDR
Cortex XDR Agent
Creation date
Last date published
Administrator Guide

Learn how to effectively use the Cortex XDR agent for Windows by the different options described in this topic.

The Cortex XDR agent installs in the C:\Program Files (x86)\Palo Alto Networks\Traps folder. If you enabled access to the console, the agent console is also accessible from the notification area (system tray).

  1. Open the Cortex XDR application.

    The console displays active and inactive features by displaying a 3.1-active-icon.png or icon-inactive.png to the left of the feature type. Select the Advanced tab to display additional tabs along the top of the console. The tabs allow you to navigate to pages that display additional details about security events, protected processes, and updates to the security policy. Usually, an end user will not need to run the Cortex XDR console, but the information can be useful when investigating a security-related event. You can choose to hide the tray icon that launches the console, or prevent its launch altogether.

    Use one of the following methods:

    • Browse to C:\Program Files\Palo Alto Networks\Traps and run the CyveraConsole.exe application.

    • If you enabled access to Cortex XDR from the notification area, double-click the Cortex XDR icon (icon-traps.png) to launch the agent interface.

  2. View status information about the Cortex XDR agent:

    • Advanced Endpoint Protection—Displays the overall protection status of the endpoint as enabled if one or more protection features are enabled, or disabled if no protection features are enabled.

      • Anti-Exploit Protection—Indicates whether or not exploit prevention rules are active in the endpoint security policy.

      • Anti-Malware Protection—Indicates whether restriction or malware protection modules are enabled in the endpoint security policy.

    • Version—Displays the Cortex XDR agent version.

    • Connection—Displays the connection status and, if connected, includes the server to which the agent is connected.

    • Last Check-in—Displays the local time on the endpoint of the last check-in with the server.

  3. Manually connect to the server.

    The Cortex XDR agent periodically communicates with the server to send status information and retrieve the latest security policy. The Cortex XDR agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can try to manually connect. This option is available if you do not want to wait for the automated communication interval to become active.

    To initiate a manual check-in with the server, Check In Now from the home page of the Cortex XDR console. If the agent successfully establishes a connection with the server, the Connection status changes to Connected.

  4. Collect Cortex XDR agent logs in a file that can be sent to a support representative for analysis.

    Select Generate Support File. Cortex XDR agent aggregates the logs into a compressed file. Save it, and then send the file to your support representative. For remote endpoints, you can also retrieve logs from the Action Center.Action Center

  5. View recent security events that occurred on your endpoint.

    1. Click Advanced, if necessary, to display additional actions that you can perform from the Cortex XDR console.

    2. Click Events.

      For each event, the Cortex XDR console displays the local Time that an event occurred, the name of the Process that exhibited malicious behavior, the Module that triggered the event, and the mode specified for that type of event (Termination or Notification).

  6. System and custom file scans.

    Cortex XDR malware scans on DLLs, executables, and Office files on Windows endpoints can be triggered from the Cortex XDR server, or manually on the endpoint.

    • System ScanScans are initiated from the Cortex XDR sever. You can view the System Scan progress in your Cortex XDR agent console. However, you cannot control this scan from the endpoint.Scan an Endpoint for Malware

    • Custom Scan—You can initiate file scanning on demand on your Windows endpoints and get an immediate verdict from WildFire, before the file is ever executed on the endpoint. This ability is enabled by default in the Cortex XDR agent Malware profile settings.Add a New Malware Security Profile

      To initiate a custom scan on the endpoint:

      1. Right-click a file or folder and select Scan with Cortex XDR.



        You will not see this option if End-user initiated local scan is disabled on your endpoint.

      2. The Cortex XDR agent console opens and you can see the custom scan in progress and eventually the scan verdict for the file. When a malicious file is detected during the custom scan, the event is reported to Cortex XDR directly and will be visible in the Alerts table as Detected (Scanned). However, it will not appear on the Events tab of the Cortex XDR agent console. If the file is unknown to WildFire, the agent applies Local Analysis.Alerts


      You can scan up to 100 items simultaneously. An item can be single file or a single folder, regardless of the number of files within the folder (for example, a folder containing more than 100 files is considered one item by Cortex XDR).


      If you scan an unsupported file type, the Cortex XDR agent console will not show a notification for it, and the file will be considered non-malicious.

  7. Change the display language for the Cortex XDR console.

    The Cortex XDR console is localized in the following languages: English, German, French, Spanish, Chinese (traditional and simplified), and Japanese.

    1. Click Advanced, if necessary, to display additional actions that you can perform from the Cortex XDR console.

    2. Click Settings.

    3. Select the display language for Cortex XDR (default is English).

  8. Configure proxy communication.

    You can use a proxy server on the endpoint for all communications to and from the endpoint, including the communication between the Cortex XDR agent and Cortex XDR.

    • Define proxy settings explicitly—You can define a proxy thorough the operating system Network & Internet settings, or using the netsh command from a command prompt. For example:

      netsh winhttp set proxy proxy-server="<protocol>=<proxyserver>:<port>"


      • <protocol> is either http (unsecure) or https (secure) depending on which protocol you use for proxy communication.

      • <proxyserver> is the IP address or FQDN for your proxy server.

      • <port> is the port number used for communication with the proxy server.


      You can configure Windows to use an unsecure or secure proxy server or you can specify both.

      For example, to use different proxy servers for unsecure and secure proxy communication:

      netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8181"

      You can also specify the same server and same port for both unsecure and secure proxy communication.

      There are three options for this command: You can run the command manually (in a command-prompt as an administrator), you can specify the command in a log-in script, or you can use GPO commands.

    • Retrieve proxy settings through a proxy auto-config (PAC) file—Cortex XDR can retrieve automatic proxy settings configured on your endpoint explicitly, in a group policy, or using WPAD. No additional agent settings are required for this use case.


      If the proxy settings on your endpoint are configured via WPAD or a user setup script, when you isolate an endpoint from the network you will also lose connectivity with Cortex XDR server.

  9. Persistent notification from agent that your machine can’t access the network. Only when the issue is resolved, the notification does not appear.