Known Issues in Cortex® XDR™ Agent 7.2

The following table details known issues in Cortex® XDR™ agent 7.2 releases.
Issue ID
Description
CPATR-12865
(
Windows
)
On Windows endpoints, post-detection alerts for Microsoft Office files that contain a macro are not retrievable from the management server.
CPATR-12376
(
Windows
)
In rare cases, when you attempt to upgrade a 7.2, 7.2.1, or 7.2.2 agent to a later release, the upgrade action halts
In Progress
status.
Suggested workaround: Reboot the agent and receive
Failed
status.
CPATR-12307
If Traps agent is installed and running while upgrading from macOS 11 to 11.1, it might halt.
CPATR-12001
(
Mac
)
On endpoints running macOS 10.15.4 and later using Apple's Network Extension framework, which is leveraged by the Cortex XDR agent 7.2.1 and later, you cannot activate a VPN functionality by Native Cisco IPSec and some other 3rd party VPN configuration management solutions.
Suggested workaround: Contact Palo Alto Networks Support for a support exception.
CPATR-11883
(
Mac
)
On endpoints running macOS 10.15.4 and later using Apple's Network Extension framework, which is leveraged by the Cortex XDR agent 7.2.1 and later, sometimes the Network Extension will not load and the agent will stop reporting network statistics after you upgrade a Cortex XDR 7.2.1 release to any other release.
Suggested workaround: Reboot the endpoint.
Event though the agent log will report that:
XDR agent is disabled on machine <name>. To resolve this, reboot the endpoint
, the agent is enabled yet the Network Extension is not loaded.
CPATR-11752
(
Mac
)
Cortex XDR inaccurately reports post-detection events for DMG files as post-detection events for executables.
CPATR-11474
(
Windows
)
This issue is resolved in Cortex XDR agent 7.3 release.
When Palo Alto Networks Global Protect policy is set to block all network communications on endpoints without an active anti-virus solution, then Global Protect could disconnect the endpoint if the policy check occurs during the Cortex XDR agent upgrade.
To resolve this issue, use the suggested workaround:
  1. Disable Global Protect on the endpoint.
  2. Perform manual check-in on the Cortex XRD agent console.
  3. Enable Global Protect.
CPATR-11309, CTNGTR-3437
(
Windows
)
This issue is resolved in Cortex XDR agent 7.2.1 release.
The Cortex XDR agent can suddenly halt in case of malformed data in the endpoint registry values related to Folder Redirection.
CPATR-11150
(
Windows and Linux
)
This issue is resolved in Cortex XDR agent 7.2.1 release.
When you upgrade a Cortex XDR agent release prior to 7.2.0 to the 7.2.0 agent, the allow and block lists defined for the earlier agent release are enforced only after agent check-in. You can perform the check-in using Cytool (CLI tool) or directly from the agent console on the endpoint.
CPATR-11010
When the Cortex XDR agent is set to report on DMG events, Cortex XDR displays the action in the alert as
Scanned
instead of
Reported
.
CPATR-11009
Installing the Cortex XDR Pathfinder data collector on an endpoint that is already running another third party security product could lead to a potential security problem on the endpoint, where the third party tool disables certain security capabilities when it detects the data collector.
CPATR-10944
This issue is resolved in Cortex XDR agent 7.2.2 release.
When the Cortex XDR agent receives a malware verdict from WildFire for a previously unknown DMG file, the agent does not create a post-detection event for the hash.
CPATR-10931
Sometimes in alerts from Mac endpoints, the operating system does not supply a report source address on UDP events. As a result, Cortex XDR displays a source IP address of 0.0.0.0 and a source port of 0 in logs and alert details.
CPATR-10900
You cannot install the Cortex XDR agent on an endpoint where the Cortex XDR Pathfinder data collector is already installed.
CPATR-10896
(
Mac
)
This issue is resolved in Cortex XDR agent 7.3 release.
When you install a Cortex XDR agent for the first time, manually or from the Cortex XDR server, on a Mac endpoint running macOS 10.15.3 or an older version, the loading order of the agent processes on the endpoint is incorrect and could result in unexpected behavior of the Cortex XDR agent.
CPATR-10830
This issue is resolved in Cortex XDR agent 7.3 release.
The alert of a post detection event that resulted in the termination of a multiple processes or applications does not list the names of the processes/applications.
CPATR-10695
When you set a
Read only
Device control restrictions policy, the following issues can occur:
  • Unexpected behavior when the end user connects a USB device formatted in Windows FAT32 or exFAT formats that was not ejected properly from a previous device.
  • If the device has more than one volume, Cortex XDR displays a separate violation for each volume.
CPATR-10614
This issue is resolved in Cortex XDR agent 7.3 release.
The Cortex XDR agent does not create a post-detection event when it receives from WildFire® a malware verdict for a macro file that had a previous non-malware verdict.
CPATR-10187
When you run an application that has never been executed before on a Mac endpoint for the first time, and the endpoint is configured with Cortex XDR host firewall rules, the host firewall rules will take effect only starting with the second execution of the application.
CPATR-10164
When you disable the Cortex XDR Host firewall on a Mac endpoint, the host firewall rules applied to the applications on the endpoint still take effect.
CPATR-10129
On Mac endpoints, when the domain configuration of the endpoint is changed, Cortex XDR does not trigger a recalculation of the network location.
CPATR-10121
Sometimes, the operational status in the agent log is
Fully Protected
even though the agent is Unprotected. This happens for example when the endpoint user does not approve the System Extension on the endpoint. Although the agent log indicates an incorrect status, Cortex XDR displays the correct operational status in
Endpoints Administration
.
CPATR-10095
You cannot configure the following Mac host firewall settings with the Cortex XDR host firewall:
  • Automatically allow built-in software to receive incoming connections.
  • Automatically allow downloaded signed software to receive incoming connections.
CPATR-9907
(
Mac
)
Due to an issue with JAMF and macOS, the Cortex XDR agent may prompt the end user to authorize system extensions after upgrading to macOS 10.15.4 or a later version, even though a JAMF profile is in use that should allow those system extensions.
Workaround
: Upgrade the operating system to macOS 10.15.6 or a later version first, verify your JAMF policy enables the appropriate extensions, and then use JAMF or an agent upgrade action from the Cortex XDR management console to upgrade to a later Cortex XDR agent version. If you upgrade the agent before upgrading the operating system and do not reinstall, the end user must approve kernel extensions when prompted.

Recommended For You