End-of-Life (EoL)

Cortex XDR Agent Known Issues

Known issues with the Cortex XDR agent 7.0
In this version, Traps management service functionality has been integrated into the Cortex XDR app. As a result, the new agent is a Cortex-supported agent, and issues relating to Traps and the Traps management service directly are no longer applicable.
The following table includes known issues in Cortex XDR agent 7.0
Issue ID
The Cortex XDR agent does not create a post-detection event when it receives from WildFire a malware verdict for a macro file that had a previous non-malware verdict.
When the operating system on the endpoint is set to Advertise mode, you cannot install or upgrade a Cortex XDR agent 7.0.X or earlier releases using
When the Cortex XDR agent performs a policy update on a Windows endpoint, the endpoint can freeze for a few seconds and you might not be able to open applications or menus until the update is completed.
If you uninstall a Cortex XDR agent 7.0.1 running on a macOS 10.15.4 endpoint through the Cortex XDR management console when the user is not logged in on the endpoint or did not enter the user credentials as requested by the operating system, the uninstall process will be reported as completed successfully however the agent will leave software leftovers on the endpoint. As a workaround to address this issue, you can:
  • Uninstall the agent directly from the endpoint, or upgrade to Cortex XDR 7.1 and uninstall the agent from the Cortex XDR server management.
  • If you already uninstalled the agent from the management server and still want to clean the leftover files on the endpoint, you must re-install the same agent version that was installed before and then uninstall it directly from the endpoint.
This issue is resolved in Cortex XDR agent 7.0.1 release.
When a new VDI session starts, it may take up to 10 minutes for the Cortex XDR agent to protect the endpoint.
The Cortex XDR tray icon displays on a Windows endpoint even though the Agent Settings profile is set to hide the icon.
This issue is resolved in Cortex XDR agent 7.0.1 release.
You cannot restore a quarantined file to a custom location using Cytool on a Mac endpoint running macOS 10.15.
If a previous version of Traps was previously installed on a Windows endpoint, the Traps icon saved in Windows cache might display in the new Cortex XDR agent console when alerting the user that access to the agent console has been disabled by policy.
After you whitelist an external USB-connected device, you have to unplug and plug it back to your machine for the whitelisting to take effect. If it is an integral device, you have to restart your machine for the whitelisting to take effect.
After you run a bash command on Mac or Linux agents using the Live Shell console, the command is printed again as a response.
To enable the Cortex XDR agent 7.0.2 release to work in synchronous mode on Linux endpoints running kernels RHEL, or CentOS, or Oracle 8, you must disable UEFI Secure Boot on the machine. Otherwise, the Cortex XDR agent will operate in asynchronous mode: the agent will obtain a verdict for the executed ELF file in parallel to its execution and terminate it if a malware verdict is obtained. In addition, data collection for EDR and behavioral threat protection will not be supported.
To disable UEFI Secure Boot, enter the Advanced Boot Menu on your Linux machine and go to Troubleshoot > Advanced Options: UEFI Firmware Settings. Set the option to disable, save your changes and exit the menu. Your system will reboot, and the Cortex XDR agent will provide all its protections on the endpoint.
For full compatibility information, see the Compatibility Matrix.

Recommended For You