topic Re: Cyserver stopped by ntdll. in General Topics

Cyserver stopped by ntdll.

MarcoMJ — Sat, 04 May 2024 07:38:10 GMT

Hi team,

Recently, We discovered endpoints that got disconnected from the console and there is no clue on trapsd why it happened because the agent didn't record logs since its last_seenn on the console, for example; the agent has a last_seen on 1 May 2024 and you reconnected the agent on 4 May 2024, there are no logs between 1 May and 4 May. We discover a log like this on application.evtx;

Faulting application name: cyserver.exe, version: 8.2.1.47908

Faulting module name: ntdll.dll, version: 10.0.19041.3636

Exception code: 0xc0000374

Fault offset: 0x00000000000ff349

Faulting process id: 0x1a90

Faulting application path: C:\Program Files\Palo Alto Networks\Traps\cyserver.exe

Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

After that, when we started to check other endpoints, we discovered the same situation, Does anyone know a little more about this or has this happened?

Thank you

Re: Cyserver stopped by ntdll.

BPry — Sun, 05 May 2024 02:41:38 GMT

@MarcoMJ,

My current knowledge and hands-on experience with Cortex XDR is limited, but this has been a thing ever since they moved it to the cloud. I can't recall having as many issues locally outside of agent updates that failed.

What I would personally recommend doing is utilizing your inventory/AD/MDM/etc to get a list of computers that Cortex should show in console, and then utilize the API to identify any agents that aren't communicating properly. The script doesn't have to do anything difficult, simply look at the last connection time and pair it with a simple ICMP test. If the last connection time isn't today, and it's responding to ICMP, you have a bunk client that you need to fix.

I wish I had a better answer for you, but I spent a lot of time reporting agents that got disconnected and working to try and identify root cause so that I didn't have to spend as much time fixing things.