Scan an endpoint for malware - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

The agent can scan your Windows and Mac endpoints and attached removable drives for dormant malware that is not actively attempting to run.

In addition to blocking the execution of malware, the Cortex XDR agent can scan your Windows, Mac and Linux endpoints and attached removable drives for dormant malware that is not actively attempting to run. The agent examines the files on the endpoint according to the Malware Security Profile that is in effect on the endpoint (quarantine settings, unknown file upload, etc.) When a malicious file is detected during the scan, the agent reports the malware to Cortex XSIAM so you can manually take additional action to remove the malware before it is triggered and attempts to harm the endpoint.

You can scan the endpoint in the following ways:

  • System scan: Initiate a full system scan on demand from Endpoints Administration for an endpoint.

  • Periodic scan: Configure periodic full scans that run on the endpoint as part of the malware security profile. To configure periodic scans, see Set up malware prevention profiles.Set up malware prevention profiles

  • Custom scan: (Windows, requires agent v7.1 or later) The end user can initiate a scan on demand to examine a specific file or folder. For more information, see the Cortex XDR Agent Administrator's Guide for Windows.

You can initiate full scans of one or more endpoints from either All Endpoints table or the Action Center. After initiating a scan, you can monitor the progress from Incident ResponseResponseAction Center. From both locations, you can also abort an in-progress scan. The time a scan takes to complete depends on the number of endpoints, connectivity to those endpoints, and the number of files for which Cortex XSIAM needs to obtain verdicts.

  1. Select Incident ResponseResponseAction Center+New Action.

  2. Select Malware Scan.

  3. Click Next.

  4. Select the target endpoints (up to 100) on which you want to scan for malware.

    Scanning is available on Windows, Mac and Linux endpoints. Cortex XSIAM automatically filters out any endpoints for which scanning is not supported. Scanning is also not available for inactive endpoints.

    Tip

    If needed, Filter the list of endpoints by attribute or group name.

  5. Click Next.

  6. Review the action summary and click Done when finished.

    Cortex XSIAM initiates the action at the next heartbeat and sends the request to the agent to initiate a malware scan.

  7. To track the status of a scan, return to the Action Center.

    When the status is Completed Successfully, you can view the scan results.

  8. View the scan results.

    After an agent completes a scan, it reports the results to Cortex XSIAM .

    To view the scan results for a specific endpoint:

    1. In the Action Center, when the scan status is complete, right-click the scan action and select Additional data.

      Cortex XSIAM displays additional details about the endpoint.

    2. Right-click the endpoint for which you want to view the scan results and select View related security events.

      Cortex XSIAM displays a filtered list of malware alerts for files that were detected on the endpoint during the scan.