Cortex XDR Agent Known Issues

Known issues with the Cortex XDR agent 7.1
The following table includes known issues in Cortex XDR agent 7.1
Issue ID
Description
CPATR-10460
(
Windows
)
When you upgrade a Cortex XDR 7.0 or a later release, and device control is enabled on the endpoint, a race condition might cause the Cortex XDR agent upgrade to fail.
CPATR-10449
(
Linux
)
This issue is resolved in Cortex XDR agent 7.1.2 release.
After you upgrade the Cortex XDR agent 6.1.0 release to a 7.1.0 or 7.1.1. release, you may experience inconsistent
pmd
crashes on Linux endpoints.
CPATR-9983
This issue is resolved in Cortex XDR agent 7.1.2 release.
You cannot execute more than one script at a time on the endpoint.
CPATR-9699
This issue is resolved in Cortex XDR agent 7.1.1 release.
The Cortex XDR agent fails to start on a VDI instance if the hardware ID is the same as in the Golden Image. As a workaround to address this issue, follow these steps when you create your Golden Image, according to the operating system running on the endpoint:
  1. Install the Cortex agent 7.1.0 release on a Golden Image using the standard VDI installation procedure.
  2. Verify that the installation was completed successfully and that the endpoint is defined as a Golden Image in Cortex XDR.
  3. Run
    Cytool protect disable
    to manually disable protections on the endpoint.
  4. (Windows 10, Server 2016 and Sever 2019)
    Run
    Cytool ppl disable
    to manually disable anti-tampering protections on the endpoint.
  5. From
    services.msc
    , right-click Cortex XDR and select
    Properties
    . Under
    General properties
    , change
    Startup type
    to
    Automatic (Delayed Start)
    and click
    OK
    .
  6. (Windows 10, Server 2016 and Sever 2019)
    Run
    Cytool ppl enable
    to manually reinstate anti-tampering protections on the endpoint.
  7. Create VDI instances.
CPATR-9410
(
Windows
)
When you initiate a malware scan directly from your Windows endpoint and the Cortex XDR agent is configured to quarantine the malicious file, the event pop-up on the endpoint includes a link to the Cortex XDR agent console Events tab, even though events from user initiated scans are not displayed in the agent console, they are displayed only in the Cortex XDR management console.
CPATR-9338
(
Mac
)
On macOS 10.15.4 endpoints, if you do not use JAMF to install the Cortex XDR agent, users will be prompted for confirmation when an attempt to disable a System Extensions is made by the user. It is safe to proceed to allow the operation to complete in the following scenarios:
  • When starting or stopping runtime services using Cytool
  • During a Cortex XDR agent upgrade
The pop-up message will not appear on managed systems, where the Palo Alto Networks System Extensions are whitelisted or the upgrade package is distributed using software management solutions like JAMF.
CPATR-9317
This issue is resolved in Cortex XDR agent 7.1.1 release.
If you want to upgrade a Cortex XDR agent that was installed using a Shell installation package to a Cortex XDR agent using an rpm package on Linux endpoints running SUSE distributions, you must perform the upgrade manually on the endpoint due to manual authorizations you have to enter during this specific flow.
CPATR-9033
(
Mac
)
When you abort scheduled scan running on your Mac endpoint from Cortex XDR
Endpoint Administration
, the scan is aborted successfully, however the action status in the Cortex XDR Action Center remains
In Progress
.
CPATR-9144
(
Windows
)
When you apply the Cortex XDR Disk Encryption policy rule to a self-encrypting hardware disk and the GPO allows hardware encryption, the disk is encrypted with a different method than those available in Cortex XDR. As a result, the Cortex XDR agent reports back
Non compliant
status even though the endpoint disk encryption was successful and status could be
Compliant
.
CPATR-9104
(
Windows
)
During encryption on Windows 7, BitLocker may take up all of the available disk space except ~6GB of free space. Disk space will be released when encryption is completed.
CPATR-7898
(
Linux
)
When you upgrade or uninstall the Cortex XDR agent from a Linux endpoint through rpm or yum, missing file warnings are displayed, even when the process ends successfully. For example:
warning: file /opt/traps/rpm/traps_linux-7.1.0.2000.tar.gz: remove failed: No such file or directory
CPATR-7820
(
Linux
)
If you purge the agent installation package on a Linux endpoint by running the
apt-get purge
command, and the
/Opt
directory is empty, then the directory might be deleted from the endpoint. However, when you install another package that requires the
/Opt
directory, it will create the directory automatically.
CPATR-6346
(
Linux
)
To enable the Cortex XDR agent 7.1 release to work in synchronous mode on Linux endpoints running kernels RHEL8, CentOS8, Oracle 8, or SUSE 15, you must disable UEFI Secure Boot on the machine. Otherwise, the Cortex XDR agent will operate in asynchronous mode: the agent will obtain a verdict for the executed ELF file in parallel to its execution and terminate it if a malware verdict is obtained. In addition, data collection for EDR and behavioral threat protection will not be supported.
To disable UEFI Secure Boot, enter the Advanced Boot Menu on your Linux machine and go to Troubleshoot > Advanced Options: UEFI Firmware Settings. Set the option to disable, save your changes and exit the menu. Your system will reboot, and the Cortex XDR agent will provide all its protections on the endpoint.
For full compatibility information, see the Compatibility Matrix.
CPATR-1867
(
Windows
)
After you uninstall a Cortex XDR agent from a Windows endpoint, the following folders along with their sub-folders and files remain on the endpoint under
C:\ProgramData\Cyvera
:
  • Everyone/
  • LocalSystem/
  • Logs/
  • Prevention/
  • Scan/
  • TrapsUninstall.log
SUPTR-6297
(
Windows
)
Cyserver
is a Process Protected Light (PPL) process in Windows 10. If you need to stop the
Cyserver
service, during troubleshooting for example, you must stop it using Cytool instead of using standard operating system tools or command line requests.

Recommended For You