08-03-2022 10:02 AM
Dear Live Community Members,
I have an issue and I'm struggling to find the reason behind it and need your help.
To give you some background on the problem at hand, my customer installed the Cortex XDR agent, and it works fine on some machines but on others when the installation process finished the problem occurred immediately and the PC is unusable.
Explorer stops working and the user is not able to do anything, he can use only the mouse but can't open any folders.
It also looks like the taskbar doesn't work, and if the user uses the keyboard's shortcut he's able to "navigate" in the file explorer or open the control panel and things like that.
We were also able to use the PC with the shortcut to do RDP on other computers and use some applications. But the ethernet NIC is like uninstalled and is not visible under the device manager or the network snap-in.
And during tests issue seems to be related to Cortex XDR, as after we uninstall the agent on the affected endpoint the problems disappear.
The problems don't appear on all clients, and the customer doesn't have particular policies applied to these groups, he is blocking the USB devices but all other policies are at their default values.
This issue affects the Cortex XDR Prevent, versions 7.7.1.62043 to 7.7.2.1822, and all the clients are on Windows 10 PRO 21H2 or higher. And all the clients are HP's notebooks.
After checking the logs I could see that the user was removing the Sophos Anti-Virus prior to installing Cortex XDR, but can't see anything suspicious with the installation and why this issue occurs.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Windows Installer installed the product. Product Name: Cortex XDR 7.7.2.1822. Product Version: 7.7.2.1822. Product Language: 1033. Manufacturer: Palo Alto Networks, Inc.. Installation success or error status: 0.
Updated Cortex XDR™ Advanced Endpoint Protection status successfully to SECURITY_PRODUCT_STATE_ON.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I've also found an older entry in the logs for TrapsV2:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The description for Event ID 93 from source TrapsV2 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
The message resource is present but the message was not found in the message table
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I'm leaning forward to issues with the Windows, and I'm wondering if you maybe have some ideas.
Could it be that there are still some reminiscences of an old Traps installation on the endpoint (or any other security app) causing these issues?
Did anyone have a similar issue and could help out?
I will appreciate your help and any hints will be welcome to solve this issue.
Thank you in advance!
08-04-2022 06:08 AM
The customer made a lot of checks and tests and we've found the main cause. On some of the affected clients (not all), there was an embedded antivirus/security agent installed, that the customer has disabled at the start of the PC's configuration (it was not possible to uninstall it).
And the issue has been solved after a clean installation of the OS on the affected endpoint.
The customer was also able to find a way to uninstall the software causing this issue, and after removing it the problems did not show up again.
It is a very odd thing, as we didn't find any log or entry that explains it. And the strangest thing is that it didn't occur on all the clients that had the agent installed.
Thank you for your help!
08-03-2022 10:07 AM
Hi A_Adamski,
Please open a TAC case via the Customer Support Portal for assistance on this issue.
08-04-2022 06:08 AM
The customer made a lot of checks and tests and we've found the main cause. On some of the affected clients (not all), there was an embedded antivirus/security agent installed, that the customer has disabled at the start of the PC's configuration (it was not possible to uninstall it).
And the issue has been solved after a clean installation of the OS on the affected endpoint.
The customer was also able to find a way to uninstall the software causing this issue, and after removing it the problems did not show up again.
It is a very odd thing, as we didn't find any log or entry that explains it. And the strangest thing is that it didn't occur on all the clients that had the agent installed.
Thank you for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
