Learn about using Cortex XDR agent app for Android after you have installed it.
After you install Cortex XDR for Android, scan all apps installed on the Android endpoint. For each app Cortex XDR detects, it generates a hash for the file and requests the file verdict from Cortex XDR. If necessary, Cortex XDR queries WildFire for the verdict.
After the initial scan, Cortex XDR inspects apps immediately as they are installed, and as automated or manual scans occur. At regular intervals, Cortex XDR also rechecks all verdicts with WildFire. For unknown apps, Cortex XDR agent sends the unknown file to Cortex XDR for in-depth analysis. If a verdict cannot be determined after the apk file was uploaded to Wildfire for analysis, Cortex XDR performs local analysis. The administrator can configure the behavior for both actions from Cortex XDR in the Malware Security Profile for Android.
The Cortex XDR home page displays the status of anti-malware protection, a numerical summary, and a list of the apps installed on the Android endpoint. Cortex XDR automatically refreshes the summary when it discovers new apps and receives updated or changed verdicts. You can access more information about each app from the home page.
The following categories are used to classify apps:
Malware—Cortex XDR blocks an app if the app has a Malware verdict as determined by WildFire or local analysis, is blocked by a hash exception policy, or is unknown. To block unknown apps, the administrator must enable Cortex XDR to Block files with unknown verdict in the Malware Security Profile for Android endpoints. When Cortex XDR blocks an app due to a hash exception policy, Cortex XDR shows the app with a Block status.
Allowed—Cortex XDR allows an app to run if the app has a Benign verdict as determined by WildFire or local analysis, or is signed by a trusted signer. The administrator can add signers to the allow list as part of the Malware Security Profile for Android endpoints.
Pending—A pending app is an app that has not yet received an official WildFire verdict. Unknown apps are allowed to run only when this feature is enabled in the Cortex XDR policy.
View a summary of app protection status—Go to the home page to see the total number of Malware Apps, Allowed Apps, and Pending Apps (unknown apps).
View a complete list of installed apps and their statuses—Go to the home page, and in the Related Apps area, tap All.
By default, the Cortex XDR home page orders the apps by the most recent installation date.
Filter apps—Go to the home page, and in the Related Apps area, tap the desired category (Malware, Allowed, or Pending).
View more details about an app—Go to the home page, and in the Related Apps area, scroll to the desired app and tap it.
Scan apps:
From the home page, open the menu at the top left, and tap Scan.
Tap Scan Now.
Cortex XDR scans all apps and requests verdicts for the apps.
View scan history:
From the home page, open the menu at the top left, and tap Scan.
Tap Scan History.
Cortex XDR displays a history of scans, which includes the date and time the scan ran, and the number of apps identified as malware (red) or as benign (green).
Optionally, to see more details about a scan, tap the desired row in the scan history.
When you attempt to run a malicious app, a blocked app (as defined by a hash exception policy), or an unknown app, Cortex XDR automatically blocks the app from running according to your organization's policy. The administrator can configure Cortex XDR to treat grayware in the same way as it treats malware.
If Cortex XDR identifies a malicious or suspicious (unknown) app, Cortex XDR prompts you with the following actions:
Stop—Opens the corresponding settings page of that app, where you can stop the app.
Uninstall—Remove the malware from the Android device. From the home screen, go to → , and then click the trash can icon for the app that you want to remove.