topic Re: An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull in Cortex XDR Discussions

An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull

A_Adamski — Tue, 09 Aug 2022 15:27:31 GMT

Dear Live Community Members,

One of my customers noticed that some endpoints with the Cortex XDR installation sometimes creates a huge file that grows in size with time.

On several VMs equipped with the Cortex Agent (version 7.7.1, but we also noticed this with older versions in the past) sometimes a file called "PaloNull" is created, which grows really huge and eventually uses up all free disk space on the C: drive.

We cannot leave the file in place when this occurs since it impedes normal operation.

This data are being written/saved to the hard drive at the C Drive at the below location:
C:\Windows\System32\PaloNull

This happened on approx. 10-15 VMs running Windows Server 2016 up to 2022 (maybe even older versions) within the last 12 months.
An older VM (Windows Server 2016) had Cortex installed for almost two years, whereas the newest VM (Windows Server 2022) was equipped with Cortex just a month ago.

The customer correlates this to Cortex due to the name (PaloNull) and the fact that this occurred also on systems with no other PAN software installed (we ruled out PAN TS Agent for NGFW User ID as a cause just before creating this ticket).
Apart from the default Windows Defender which we leave untouched, no other security software is installed on the affected devices.

I could not find any info about similar issues and the sample file does not provide any useful data.

I have a sample of that file, but I can't access and read the data from it:

Could you help me out and let me know if this is a known bug? And how can we troubleshoot why this happens?

I'm struggling to confirm that this file has been in fact created by the Cortex XDR and the reason behind it.

And I will really appreciate your help and any hints to investigate this issue further.

Thank you in advance!

Re: An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull

SilviuMihailDascalu — Tue, 09 Aug 2022 15:34:14 GMT

Hi,

One or more tools that are installed on the system may be causing this issue. Please raise a support ticket with our Customer Support team to help investigate and fix this issue.

Thanks,

Silviu

Re: An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull

Cyber1985 — Tue, 09 Aug 2022 20:05:09 GMT

Please let us know, how this Problem could be solved.

Rob

Re: An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull

A_Adamski — Wed, 12 Oct 2022 14:44:43 GMT

Dear All,

The engineering team saw 1 or 2 similar things in the past a long time ago. In all the cases it has been related to 3rd software (like nirsoft utility or some other system-wide tools).

So far, the issue did not occur again. We did include a check in our monitoring system, and as soon as it reappears, we will investigate further and reopen the case with the PA TAC.

Cheers!

Re: An endpoint with the Cortex XDR installation intermittently creates a huge file and writes to the hard drive at C:\Windows\System32\PaloNull

Salenko — Tue, 08 Oct 2024 20:05:40 GMT

Good day A file with the same name and size is created on the administrator's desktop for all available disk space.