Cytool stops scanning and times out

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cytool stops scanning and times out

L1 Bithead

Hello everyone,

I'm trying to create a gold image in an AWS AppsStream 2.0 environment. I'm following the steps listed here:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.1/Cortex-XDR-Agent-Administrator-Guide/Corte...

When I get to step 2c under "Configure the Cortex XDR Agent in a Non-Persistent VDI" and issue the command listed, the scanning stops at C:\Windows\write.exe and times out. Does anyone have experience with this situation?

 

Thanks.

3 REPLIES 3

L3 Networker

Hi @J.Isaias 

Thank you for reaching out to the Live community!

There could be many reasons for this issue which need a thorough investigation of tech support files to find the exact cause/solution.

There is an article around this issue, please check if this helps - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYjrCAE

Additionally, please check the file size where the scan is getting stuck at(C:\Windows\write.exe ) and if the file size is over 100 MB then that could be the cause as well since those files never be uploaded to wildfire for examination and the agent might be waiting for the verdict.

There is an auto mechanism where the agent should ideally skip those files and move on to the next files incase verdict upload/retrieval fails, so I would suggest checking the above initial troubleshooting steps and if that doesn't help please raise a ticket to TAC for further RCA, technical support file investigations and permanent fixes. 

Please click Accept as Solution to acknowledge If this answer added value to your question.

Best,


L1 Bithead:

 

Thank you for your advice. It's an excellent idea, but unfortunately, the setting already has the desired value (Wildfire upload is set to enable.) I really appreciate it since your answer made a lot more sense than the ones I was given by the tech support people. Right now, a second level tech is looking into my issue. Last thing we tried was to force a scan of the VDI hoping that the Wildfire would check the files, but still it didn't work.

L1 Bithead

Thank you all for the suggestions. Just yesterday the TAC team resolved my issue. It took some time and effort, but finally, we resolved it. This is what I was instructed to do (in case someone runs into this issue and thinks this could help):

1. Open command prompt with admin privilege
2. From the command prompt, go to the Traps installation folder i.e. C:\Program Files\Palo Alto Networks\Traps
3. Run command: cytool runtime stop
4. Provide uninstallation password
5. Navigate to C:\ProgramData\Cyvera\LocalSystem\Persistence
6. Back up and delete all the *.db files within the Persistence folder, but do not delete the Persistence folder itself. This is important. Note: In the end, I was directed to delete all the contents of this folder because they mentioned "files" with .db extensions, but in reality, they were folders, a couple of files with no extensions, and other folders with extensions .db.lru in there (again, just the contents, not the folder itself)
7. Navigate to C:\ProgramData\Cyvera\LocalSystem
8. delete the "wfcache.log" file (in my case this file didn't exist.)
9. Run command: cytool runtime start
10. Run the command: cytool reconnect force
11. Provide the uninstallation password ( if actual password doesn't work please use the default password)
12. Give it a few seconds and verify if it is able to connect and gets enabled
13. Now start the scan again

  • 538 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!