https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235285#M8619 <P>Palo TAC&nbsp; Support Feedback was to go with File Protection disable under Agent Security Settings. Test with updated version would help to remove unnecessary profiles.</P> <P>&nbsp;</P> Mon, 04 Aug 2025 06:01:58 GMT kpatel35ntt 2025-08-04T06:01:58Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235190#M8612 <P>We have noticed random block of sysprep process and ending up corrupting image. Has anyone noticed this?</P> Fri, 01 Aug 2025 07:28:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235190#M8612 kpatel35ntt 2025-08-01T07:28:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235222#M8614 <P>Hi Kpatel35ntt,</P> <P>It seems to me that this random block of sysprep has to do with our detection thinking that a legit process is maybe used in a suspicious way.&nbsp;</P> <P>&nbsp;</P> <P>I see this have to be investigated further, so I would recommed to open a TAC support case, to figure out the root cause of false positives on sysprep behavior&nbsp;</P> <P>A temporal solution would be to create a legacy exception on that process/path/hash... the more you narrow down, the better</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Fri, 01 Aug 2025 15:13:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235222#M8614 eluis 2025-08-01T15:13:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235275#M8618 <P>Check this knowledge base article:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000blZlKAI" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000blZlKAI</A></P> <P>Could be the issue you have.</P> <P>Hope this helps</P> Mon, 04 Aug 2025 05:20:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235275#M8618 micomi 2025-08-04T05:20:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235285#M8619 <P>Palo TAC&nbsp; Support Feedback was to go with File Protection disable under Agent Security Settings. Test with updated version would help to remove unnecessary profiles.</P> <P>&nbsp;</P> Mon, 04 Aug 2025 06:01:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/suspecting-xdr-agent-blocking-sysprep-process-randomly/m-p/1235285#M8619 kpatel35ntt 2025-08-04T06:01:58Z