topic Re: cytray.exe "bad image" errors following Agent update in Advanced Threat Prevention Discussions

cytray.exe "bad image" errors following Agent update

cskoien — Sun, 03 Mar 2024 23:11:18 GMT

Following the Cortex XDR Windows agent update to 8.3.0.49434 we started to see the following error affecting some application DLLs.

Clicking Ok makes the message go away and the application keeps working. TAC case was logged and an temporary Support Exception was added and applied to some affected hosts. This seemed to stop the error.

Wondering if anyone else is experiencing the same or similar issue? This affects approx. 2 DLLs on two separate applications of ours. I'd like to see a fix come in the form of an update to the Cortex XDR client, as applying a temporary support exception doesn't seem like a viable long term solution.

Re: cytray.exe "bad image" errors following Agent update

emr_1 — Mon, 04 Mar 2024 02:19:56 GMT

We see same issue in several customer's environments. As far as I know, PAN will plan to fix the issue within 8.3.1 and 8.4.

Re: cytray.exe "bad image" errors following Agent update

Gerry_Fahy — Mon, 04 Mar 2024 12:36:44 GMT

Same issues here, with a specific application (Parallels)

Re: cytray.exe "bad image" errors following Agent update

cskoien — Mon, 04 Mar 2024 23:05:21 GMT

Information from TAC:

"This is caused by a new feature enabled in 8.3, where we check the signature level of every DLL loaded into cytray.exe. The application's DLL must be unsigned or with a lower trusted level, which will result in the DLL being blocked by us and this pop-up to show. hence we have provided the SUEX to disable the feature.

At the moment the engineering team does not consider this issue as an actual bug inside the product, but rather a by-design behavior.

I would like to inform you that it might be fixed in the upcoming version of the XDR Agent, but we do not have an ETA for this."

I'd argue that its a bug. Its not an error handled by cytray.exe. Windows is throwing an error due to the action.

Re: cytray.exe "bad image" errors following Agent update

AndyHartwell — Tue, 05 Mar 2024 12:38:58 GMT

We are also having problems with Parallels RAS. The DLL Cytray is complaining about appears to be signed OK.

Interested to hear how you work around this. Parallels seem to think it is not a problem for them to fix.

Re: cytray.exe "bad image" errors following Agent update

Gerry_Fahy — Tue, 05 Mar 2024 12:43:36 GMT

I raised an issue with support and they applied a test exception profile in Cortex dashboard. However, I'm still seeing this issue on some machines even though the exception has been applied.

Re: cytray.exe "bad image" errors following Agent update

AndyHartwell — Tue, 05 Mar 2024 14:44:26 GMT

Seems we are reliant on Palo Alto to help with this. Response from Parallels - "This issue is unrelated to the Parallels RAS issue, so we suggest reaching out to Palo Alto support for further clarification and assistance."

Re: cytray.exe "bad image" errors following Agent update

AndyHartwell — Tue, 05 Mar 2024 15:33:39 GMT

Do you think its worth compiling a list of applications that we believe to be affected ? At the moment PaloAlto don't seem to be at all interested but that may change if a long list of applications that they have broken were put together ?

Re: cytray.exe "bad image" errors following Agent update

cskoien — Tue, 05 Mar 2024 22:46:06 GMT

Andy - The statement I got from Palo was "This is caused by a new feature enabled in 8.3, where we check the signature level of every DLL loaded into cytray.exe. The application's DLL must be unsigned or with a lower trusted level, which will result in the DLL being blocked by us and this pop-up to show. hence we have provided the SUEX to disable the feature."

I agree in that its not a problem for Parallels to fix. If its a feature of Cortex XDR then there should be some alerting/incidents relating to the block in the console, but there is nothing. Blanket disabling a newly introduced feature is not a solution.

Re: cytray.exe "bad image" errors following Agent update

cskoien — Tue, 05 Mar 2024 22:48:41 GMT

Andy - I am waiting to hear back today with further information. I'm receiving mixed messages on whether Palo Alto plan to fix it in the next agent release. One response stated "late March" but had not firm release timeline.

Re: cytray.exe "bad image" errors following Agent update

Jurriaan — Wed, 06 Mar 2024 14:30:01 GMT

Same here with DLL belonging to Teamviewer: "C:\Program Files (x86)\TeamViewer\tv_x64.dll"

Re: cytray.exe "bad image" errors following Agent update

cskoien — Wed, 06 Mar 2024 23:51:13 GMT

Received confirmation that this issue will be resolved in the next release of the agent, tentative release date being late March 2024.

Re: cytray.exe "bad image" errors following Agent update

huangyz — Thu, 07 Mar 2024 01:09:50 GMT

Yes,it's not a good solution.

Betreff: cytray.exe "bad image" errors following Agent update

StephanRuediger — Thu, 07 Mar 2024 07:26:08 GMT

Hello,

ZoomText

Re: cytray.exe "bad image" errors following Agent update

DovToren — Fri, 08 Mar 2024 17:28:51 GMT

Not an issue my a$$ .. Ever since 8.3.0 we get multiple alerts from a monitoring software that the Cortex XDR service has stopped. Digging into PC's and laptop's event logs, it appears it's cysvc.dll itself which is crashing; we see the same event log entry in all the the computers which reported the issue.

Re: cytray.exe "bad image" errors following Agent update

JLamb17 — Tue, 12 Mar 2024 13:40:24 GMT

Would you know where one would obtain this "SUEX "?

Cheers
jc

Re: cytray.exe "bad image" errors following Agent update

Jurriaan — Tue, 12 Mar 2024 15:36:48 GMT

1) On effected machines, downgraded from 8.3.0 to 8.2.1

2) In CortexXDR Console created a policy preventing agent to be upgraded

3) Added effected machines to the policy

No more annoying popups. Waiting for new version.

Re: cytray.exe "bad image" errors following Agent update

emr_1 — Mon, 18 Mar 2024 05:15:44 GMT

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008XKOCA2

FYI : The new KB posted which related to this issue.

Re: cytray.exe "bad image" errors following Agent update

LCMember40912 — Tue, 19 Mar 2024 18:06:45 GMT

The PAN article says:

To resolve the issue, please whitelist Cortex XDR Agent process on the affected 3rd party application to disable injection into Cortex XDR Agent process.

But no indication is given how to do that, so it is not helpful.

Re: cytray.exe "bad image" errors following Agent update

GrazianoG — Wed, 20 Mar 2024 11:43:24 GMT

The whitelisting workaround works if there is a security product injecting DLLs in Cortex processes. But in case it is for example TeamViewer or another software's DLL, this is unfeasible because they do not have a whitelist to configure.