Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?
Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?
Local Analysis is evoked to evaluate a file before the file is allowed to run if the endpoint is disconnected or the verdict from WildFire is of a type unknown. This is because Local Analysis is used to make a determination when WildFire cannot be reached or when WildFire classifies a file as unknown, necessitating further analysis to ensure the file is safe before execution.
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcdra-study-guide.pdf Local analysis is enabled by default in a Malware Security profile. Because local analysis always returns a verdict for an unknown file, if you enable the Cortex XDR agent to Block files with an unknownverdict, the agent only blocks unknown files if a local analysis error occurs or local analysis is disabled. To change the default settings (not recommended), see Add a New Malware Security Profile.