Dear Live Community Members,
One of my customers noticed that some endpoints with the Cortex XDR installation sometimes creates a huge file that grows in size with time.
On several VMs equipped with the Cortex Agent (version 7.7.1, but we also noticed this with older versions in the past) sometimes a file called "PaloNull" is created, which grows really huge and eventually uses up all free disk space on the C: drive.
We cannot leave the file in place when this occurs since it impedes normal operation.
This data are being written/saved to the hard drive at the C Drive at the below location:
C:\Windows\System32\PaloNull
This happened on approx. 10-15 VMs running Windows Server 2016 up to 2022 (maybe even older versions) within the last 12 months.
An older VM (Windows Server 2016) had Cortex installed for almost two years, whereas the newest VM (Windows Server 2022) was equipped with Cortex just a month ago.
The customer correlates this to Cortex due to the name (PaloNull) and the fact that this occurred also on systems with no other PAN software installed (we ruled out PAN TS Agent for NGFW User ID as a cause just before creating this ticket).
Apart from the default Windows Defender which we leave untouched, no other security software is installed on the affected devices.
I could not find any info about similar issues and the sample file does not provide any useful data.
I have a sample of that file, but I can't access and read the data from it:
Could you help me out and let me know if this is a known bug? And how can we troubleshoot why this happens?
I'm struggling to confirm that this file has been in fact created by the Cortex XDR and the reason behind it.
And I will really appreciate your help and any hints to investigate this issue further.
Thank you in advance!
