On Linux endpoints, to perform malware analysis of Executable and Linkable Format (ELF) files and collect data for endpoint detection and response (EDR) and behavioral threat analysis, the Cortex XDR agent requires Linux kernel 3.4 or a later version. If you deploy the Cortex XDR agent on a Linux server that is not running one of the kernel versions required for these additional protection capabilities, the agent will operate in asynchronous mode, where:
Continuous event monitoring required for Behavioral Threat Protection is disabled.
Sharing endpoint activity data with Cortex apps is disabled.
The Local Privilege Escalation Protection module is disabled.
Alert indicators, such as file path or hash, can be missing for processes with a very short lifespan.
ELF file examination occurs in parallel with the file execution. If the Cortex XDR agent obtains a malware verdict for the file, it terminates the file execution. Security events for malware in asynchronous mode are assigned a high severity due to the potential for continued execution during the verdict request (security events in synchronous mode are medium severity).
Starting with Cortex XDR agent 7.5, Reverse Shell protection is disabled.
All other exploit and malware protection is enabled per your Linux Security policy rules.
To deploy on a supported kernel version, you must ensure it is possible to load third party kernel modules. To do so, you can either:
Disable UEFI SecureBoot.
If UEFI SecureBoot is enabled, you must load the Cortex XDR certificate.
To load the certificate, follow the instructions detailed in→ → → .
Changes to the kernel module versions are distributed with content updates. For earlier Cortex XDR agent releases, changes to the kernel module versions are distributed with the agent releases.
Latest Kernel Module Version Support
Here is the latest Kernel Module Version.