Addressed Issues in Cortex® XDR™ Agent 7.2

The following tables lists the issues that are addressed in Cortex® XDR™ agent 7.2 releases.

Addressed Issues in Cortex XDR Agent 7.2.4

The following table details addressed issues in Cortex XDR agent 7.2.4.
Issue ID
Description
CPATR-13789
(
Windows
)
Fixed a compatibility issue with return-oriented programming (ROP) mitigation module running on a 64-bit CPU architecture.
CPATR-13480
,
CPATR-13408
,
CPATR-12976
,
CPATR-12633
,
CPATR-12629
Addressed security issues.
CPATR-13418
(
Linux
)
Fixed an issue on Linux endpoints where attempts to restart MariaDB Server caused the Cortex XDR agent to halt.
CPATR-13384
Fixed an issue with a local database used by the 'Search and Destroy' feature on the agent. Prior to the fix, no results were shown for searches on endpoints with an unusually large number of files.
CPATR-13363
Fixed a potential Denial-of-Service (DoS) security issue.
CPATR-13303
Fixed an issue where in some cases, shared network drives were not available for malware scan due to the method by which the drives were mounted and represented in the operating system.
CPATR-13269
Fixed an issue where abnormally high CPU usage is consumed by the agent when it is not connected to the Cortex XDR server.
CPATR-13043
Fixed a rare issue where after upgrading the agent, the agent reported historic alerts again to the Cortex XDR server.
CPATR-12984
Fixed an issue where agent script data was sent erroneously to Cortex XDR when the network connection was lost.
CPATR-12982
(
macOS
)
Fixed an issue on Mac endpoints where the agent was not sending heartbeats to Cortex XDR when the Network Filter approval dialog box was open.
CPATR-12970
(
macOS
)
Fixed an issue where the Cortex XDR agent on macOS halted abruptly in some rare cases.
CPATR-12954
(
Linux
)
Fixed an issue on Linux endpoints where the Collector function was not functioning properly when the Kernel Integrity Monitor (KIM) was disabled.
CPATR-12923
(
Linux
)
Fixed an issue where if you installed the Cortex XDR agent 7.2.x or 7.3.x releases using an RPM installation package on a Linux endpoint running OpenSUSE or SUSE 15 SP2, you could not upgrade the agent to a newer release.
CPATR-12874
(
Windows
)
Fixed an issue where the agent on Windows endpoints stopped sending heartbeats to the Cortex XDR server.
CPATR-12323
Fixed an issue where the Cortex XDR agent did not report post detection events of Office files with macros to the management server. In case of post-detection events of Office file with macros, the agent does not terminate the source process regardless of the applied Malware Profile.

Addressed Issues in Cortex XDR Agent 7.2.3

The following table details addressed issues in Cortex XDR agent 7.2.3.
Issue ID
Description
CPATR-12803
Fixed issue where protected Java processes, such as OpenJDK processes, crashed in particular cases.
CPATR-12723
(
Linux
)
Fixed an issue where in a certain scenario, a Linux agent reached a state in which the agent halted.
CPATR-12693
(
Linux
)
Fixed an issued where on Linux endpoints, the Ubuntu Long Term Support (LTS) release numbers were displayed incorrectly in the Cortex XDR management console, where digits leading zeros are missing. For example, 12.4 was displayed instead of 12.04.
CPATR-12675
Fixed an issue of high disk I/O consumption by the Cortex XDR agent.
CPATR-12674
Fixed an issue where some security events were not reported to the Cortex XDR management console when the agent is shutting down. These non-reported events are now reported to the Cortex XDR management console when the agent service restarts.
CPATR-12649
Fixed an issue where the Cortex XDR agent did not detect the existence of a macro within a Microsoft Office document.
CPATR-12610
Fixed an issue where the Cortex XDR agent reported behavioral threat protection (BTP) incidents a day after the incidents were actually encountered.
CPATR-12582
Fixed an issue where the Cortex XDR management console could not receive endpoint detection and response (EDR) data due to a non-Unicode URL recognition problem.
CPATR-12476
(
Windows
)
Fixed an issue where outdated WildFire verdicts are displayed when querying the WildFire cache using the cytool (CLI tool).
CPATR-12337
Fixed an issue where during a system scan, the Cortex XDR agent did not skip the Microsoft Application Virtualization (App-V) offline files and folders, causing the local disk to fill up. The Cortex XDR agent now skips these files.
CPATR-12242
Fixed an issue where low-level disk utilities (such as
fsck
,
fdisk
, etc.) on a Linux endpoint failed with
Device is in use
error.
CPATR-12102
(
macOS
)
Fixed an issue where uninstallation of the agent did not work on macOS endpoints due to erroneous user password recognition.
CPATR-12083
(
Windows
)
Fixed an issue where the Cortex XDR agent firewall rules on a Windows endpoint did not apply temporarily after changing the network location of the endpoint. This occurred because the network location change was not immediately detected.
CPATR-12009
(
Windows
)
Fixed an issue where the agent did not analyze the macro content within a Microsoft Office document.
CPATR-11966
(
Linux
)
Fixed an issue where an upgraded Linux agent caused containerized processes to halt.
CPATR-11927
Addressed security issues.
CPATR-11533
(
Windows
)
Fixed an issue where the status of a Windows endpoint erroneously flipped from Enabled to Disabled in the Cortex XDR management console.
CPATR-11199
(
macOS
)
Fixed an issue where the Cortex XDR agent could not be uninstalled from a macOS endpoint if the agent wasn't running.
CPATR-11003
Fixed an issue where the Cortex XDR agent exceeded the disk quota on the endpoint. The disk quota is now better enforced.

Addressed Issues in Cortex XDR Agent 7.2.2

The following table details addressed issues in Cortex XDR agent 7.2.2.
Issue ID
Description
CPATR-11875
Fixed an issue where sometimes retransmitting a file to Wild Fire caused a permanent
No connection
verdict.
CPATR-11871
(
Linux
)
Fixed an issue where the Local Threat-Evaluation Engine (LTEE) process reported
Zombie
status if the kernel module was not available on the endpoint when upgrading a Cortex XDR agent 7.2 to a later release.
CPATR-11858
(
Windows
)
Fixed an issue where the Cortex XDR agent failed to quarantine malicious files running on devices or partitions formatted in Windows FAT32.
CPATR-11845
(
macOS
)
Fixed an issue where the Cortex XDR agent did not enforce Device Control policy on an uncommon USB device.
CPATR-11830
(
macOS
)
Following several cases where endpoints running macOS 10.15.4 and later halted when using Apple's Network Extension framework, which is leveraged by the Cortex XDR agent 7.2.1 and later, added additional exclusions of processes and services to help reduce the probability of this issue from recurring.
If this issue persists after upgrading the Cortex XDR agent to the 7.2.2 release, contact Palo Alto Networks Support for a support exception.
CPATR-11828
(
macOS
)
Fixed an issue where the Cortex XDR agent failed to install on Mac endpoints if the proxy was being set through the
config.xml
file.
CPATR-11663
(
Windows
)
Fixed an issue where the Cortex XDR agent processes suddenly halted on Windows endpoints with low memory.
CPATR-11459
Fixed an issue where after reboot the Cortex XDR agent was disabled on the endpoint when the network location was configured and detected as external, and as a result prevented the agent from enforcing policy.
CPATR-11373
Fixed an issue where a user with administrator permissions attempted to destroy a file on the endpoint, and was denied access.
CPATR-11313
(
Linux
)
Fixed an issue where the Cortex XDR agent suddenly halted on Linux endpoints where User-Mode Instruction Prevention (UMIP) was enabled.
CPATR-11218
Fixed an issue where the Cortex XDR agent did not report malformed event log data.
CPATR-10944
(
macOS
)
Fixed an issue where the Cortex XDR agent received a malware verdict from WildFire for a previously unknown DMG file, the agent did not create a post-detection event for the hash.
CPATR-10748
(
macOS
)
Fixed an issue where the Malware security profile enforced on the endpoint did not handle correctly the DMG files in the allow list.

Addressed Issues in Cortex XDR Agent 7.2.1

The following table details addressed issues in Cortex XDR agent 7.2.1.
Issue ID
Description
CPATR-11491
(
macOS
)
Performance improvements to the Cortex XDR agent scanning.
CPATR-11349
(
macOS
)
Fixed an issue where Cortex XDR incorrectly displayed the endpoint Fully Qualified Domain Name (FQDN) instead of the endpoint host name.
CPATR-11311
(
Windows
)
Fixed an issue where the Cortex XDR agent did not detect the existence of a macro within an Office document.
CPATR-11309, CTNGTR-3437
(
Windows
)
Fixed an issue where the Cortex XDR agent could suddenly halt in case of malformed data in the endpoint registry values related to Folder Redirection.
CPATR-11246
Fixed an issue where a file verdict was changed for a file that already existed in WildFire, the new verdict was not applied by the Cortex XDR agent.
CPATR-11179
(
Windows
)
Fixed an issue where the Cortex XDR agent caused the Veeam backup service to halt on the endpoint.
CPATR-11150
Fixed an issue that occurred upgrading a Cortex XDR agent release prior to 7.2.0 to the 7.2.0 agent, the allow and block lists defined for the earlier agent release were enforced only after agent check-in.
CPATR-11143
(
Windows
)
Fixed an issue where the Cortex XDR agent unexpectedly halted when a NUMA virtual machine booted with CPU hot-add enabled.
CPATR-11122
Fixed an issue where sometimes the Cortex XDR agent console suddenly halted when the end user attempted to close it.
CPATR-11051
(
Windows
)
Fixed an issue where the Cortex XDR agent did not scan folders or files with special Unicode characters in their name if the scan was initiated locally on the endpoint by the user.
CPATR-10963
Fixed an issue when attempting to destroy a file that did not exist on the endpoint, where the agent reported back to Cortex XDR the
Failed to delete file
error message instead of
File not found
.
CPATR-10956
Fixed an issue where the Cortex XDR agent reported an incorrect scan status to Cortex XDR in case the scan failed.
CPATR-10010
(
Linux
)
The Cortex XDR agent can now be installed on paravirtualized (PV) hypervisor installations of type Xen and KVM.

Addressed Issues in Cortex XDR Agent 7.2

There are no addressed issues to report for this major release.

Recommended For You