topic TELAM SERVICES IS STOPPED - CORTEX XDR in Cortex XDR Discussions

TELAM SERVICES IS STOPPED - CORTEX XDR

J.Gammara — Fri, 02 Jan 2026 20:55:11 GMT

Hi everyone,

I am looking for in-depth technical details regarding the telam service within the Cortex XDR agent architecture.

I've observed that this service handles the local machine learning analysis for executables, but I often see it in a "Stopped" state during runtime queries. Could anyone clarify:

Role & Impact: What exactly happens at the kernel/user level when telam is active versus stopped?
Resource Usage: How does it manage resources during the analysis of unknown files?
Troubleshooting: If the service is stopped unexpectedly, what are the standard logs or indicators we should look for (besides cytool)?

I am trying to build a better troubleshooting guide for my team, so any "under the hood" details would be very helpful.

Re: TELAM SERVICES IS STOPPED - CORTEX XDR

ssingh32 — Tue, 06 Jan 2026 11:49:03 GMT

Hi,

Telam service is boot time module which runs only during boot time.It protects against attack happening at boot level.As a result it is not meant to run during OS runtime.Hence It is showing stopped.

Please mark the solution as accepted ,if it helps.

Re: TELAM SERVICES IS STOPPED - CORTEX XDR

susekar — Tue, 06 Jan 2026 15:18:11 GMT

Hello @J.Gammara ,

Greetings for the day!

Technical analysis of the telam service (specifically the telam.sys driver) indicates that its behavior and role differ from observations regarding local machine learning analysis. In the Cortex XDR architecture, local machine learning analysis is typically handled by other modules, such as the Local Analysis Worker (tlaworker.exe) on Windows or the CLAD service on Linux.

Role & Impact

The telam service is a core system driver designed to comply with Microsoft’s Early Launch Anti-Malware (ELAM) specification.

When Active (During Boot):
The driver loads very early in the boot process, even before disk drivers. Its primary responsibilities are to:

Register the Cortex XDR agent as a trusted security product with the Windows Security Center (WSC)
Host the certificates and signatures required for the agent’s user-mode services (such as CyServer.exe) to run as an Anti-Malware Protected Process Light (AM-PPL)
Initialize agent tampering protection

When Stopped (Runtime):
Once these boot-time registration and self-protection initialization tasks are complete, the telam driver stops by design. Observing it in a Stopped state during runtime checks is expected behavior and does not indicate a malfunction.

Resource Usage

The telam driver itself is a minimal driver that primarily serves as a container for certificates and does not actively manage resources or perform file analysis.

Resource consumption during the analysis of unknown files is handled by the Local Analysis components. For example, while the telam driver is stopped, the Local Analysis Worker may consume between 500 MB and 1000 MB of RAM during analysis operations, which is considered normal behavior on active servers.

For in-depth analysis of "Unexpected Stops" of the main services (which might be what your team actually needs to troubleshoot), you should look for "Memory allocation failed" or "Out of memory" errors in trapsd.log.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New year!!

Thanks & Regards,
S. Subashkar Sekar