Cortex XDR and Traps Compatibility with Third-Party Security Products - Compatibility Matrix - Cortex XDR - Cortex - Cortex XDR - Security Operations

Cortex XDR Compatibility Matrix

Product
Cortex XDR
Creation date
2024-01-18
Last date published
2024-03-18
Category
Compatibility Matrix
Abstract

Review the considerations related to third-party security software integration with Cortex XDR and Traps software.

We renamed the Traps agent as the Cortex XDR agent in Cortex XDR agent release 7.0 and later releases.

The following tables describe considerations related to third-party security software integration with Cortex XDR and Traps software. This list includes security products that have been found to have known limitations or require additional action to integrate with Cortex XDR and Traps agents. Additional third-party apps may be compatible with Cortex XDR and Traps but are not tested and, so, are not included in the list of supported third-party applications.

Third-Party Windows Security Applications

Application Name

Limitations

AppVolumes

On endpoints running Windows 8.1 or a later release, the anti-ransomware malware protection module (MPM) collides with the AppVolumes writable volume and AppStack features. As a result, running Traps anti-ransomware protection and AppVolumes in parallel is not supported on endpoints running Windows 8.1 or a later release.

On endpoints running earlier Windows releases, AppVolumes collides with the Traps injection mechanism. To address this limitation, configure AppVolumes to remove Traps registry keys and files that interfere with Traps injection. For more information, see KB-189193.

AVG

If a Cortex XDR or Traps agent component is suspected as a threat, we recommend excluding the component in the AVG management tools.

Avira AV

If a Cortex XDR or Traps agent component is suspected as a threat, we recommend excluding the component in the Avira management tools.

BeyondTrust PowerBroker

Running exploit protection and PowerBroker in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire® analysis, and restriction rules—works as expected.

Bitdefender Total Security

Running exploit protection and Bitdefender in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—works as expected.

BUFFERZONE

Not supported.

CylancePROTECT

Not supported.

Digital Guardian

Running exploit protection and Digital Guardian software in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—works as expected.

You must configure the Digital Guardian agent not to inject into any of the Cortex XDR binaries listed in the documentation. For more information, please contact Digital Guardian support.

GraphOn Go-Global

Not supported.

McAfee Solidcore/Solidifier

Running exploit protection and Solidcore/Solidifier in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—works as expected.

McAfee VirusScan

Enabling Agent Tampering Protection is not supported on Windows XP or Windows Server 2003 when McAfee VirusScan is installed in parallel.

Microsoft Defender

If a Cortex XDR agent is running alongside Microsoft Defender on endpoints running Windows Server editions, we recommend setting Defender to Passive mode.

Microsoft EMET

Running exploit protection and Microsoft EMET in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—works as expected.

Panda Antivirus

Running exploit protection and Panda Antivirus in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—works as expected.

Powered by Go-Global

Not supported.

Sandboxie

Running exploit protection and Sandboxie in parallel is not supported. All other malware protection functionality-such as local analysis, WildFire analysis, and restriction rules-works as expected.

Sophos Intercept

Running exploit protection and Sophos Interceptexploit mitigation features in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—works as expected.

To enable exploit protection, disable the following Runtime Protection options in the server policy of the cloud server for Sophos Intercept:

  • Mitigate exploits in vulnerable applications

  • Protect processes

Trend Micro OfficeScan XG

To prevent Trend Micro OfficeScan XG from detecting malware in the process memory collected by the agent, disable the Enable program inspection to detect and block compromised executable files option in Behavior Monitoring Settings of Trend Micro.

Third-Party Mac Security Applications

Application Name

Limitations

Symantec Endpoint Protection (SEP)

Uninstalling or upgrading Traps 6.1 on Mac endpoints with SEP installed is not supported.

Third-Party Linux Security Applications

Application Name

Limitations

SELinux

Because SELinux collides with the agent injection mechanism, injection-based security modules (ROP Mitigation and Brute Force Protection) are disabled when SELinux is enabled. All other exploit and malware protection functionality works as expected. No user action is required.

Symantec

Running Symantec Kernel Module on Linux machines side by side with Cortex XDR is not supported.

McAfee

Running McAfee Kernel Module on Linux machines side by side with Cortex XDR will lead to the Cortex XDR agent running without the Kernel Module and be partially protected. It is recommended to have the McAfee KM disabled.