01-02-2026 12:55 PM
Hi everyone,
I am looking for in-depth technical details regarding the telam service within the Cortex XDR agent architecture.
I've observed that this service handles the local machine learning analysis for executables, but I often see it in a "Stopped" state during runtime queries. Could anyone clarify:
Role & Impact: What exactly happens at the kernel/user level when telam is active versus stopped?
Resource Usage: How does it manage resources during the analysis of unknown files?
Troubleshooting: If the service is stopped unexpectedly, what are the standard logs or indicators we should look for (besides cytool)?
I am trying to build a better troubleshooting guide for my team, so any "under the hood" details would be very helpful.
01-06-2026 07:18 AM
Hello @J.Gammara ,
Greetings for the day!
Technical analysis of the telam service (specifically the telam.sys driver) indicates that its behavior and role differ from observations regarding local machine learning analysis. In the Cortex XDR architecture, local machine learning analysis is typically handled by other modules, such as the Local Analysis Worker (tlaworker.exe) on Windows or the CLAD service on Linux.
The telam service is a core system driver designed to comply with Microsoft’s Early Launch Anti-Malware (ELAM) specification.
When Active (During Boot):
The driver loads very early in the boot process, even before disk drivers. Its primary responsibilities are to:
Register the Cortex XDR agent as a trusted security product with the Windows Security Center (WSC)
Host the certificates and signatures required for the agent’s user-mode services (such as CyServer.exe) to run as an Anti-Malware Protected Process Light (AM-PPL)
Initialize agent tampering protection
When Stopped (Runtime):
Once these boot-time registration and self-protection initialization tasks are complete, the telam driver stops by design. Observing it in a Stopped state during runtime checks is expected behavior and does not indicate a malfunction.
The telam driver itself is a minimal driver that primarily serves as a container for certificates and does not actively manage resources or perform file analysis.
Resource consumption during the analysis of unknown files is handled by the Local Analysis components. For example, while the telam driver is stopped, the Local Analysis Worker may consume between 500 MB and 1000 MB of RAM during analysis operations, which is considered normal behavior on active servers.
For in-depth analysis of "Unexpected Stops" of the main services (which might be what your team actually needs to troubleshoot), you should look for "Memory allocation failed" or "Out of memory" errors in trapsd.log.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
01-06-2026 03:49 AM
Hi,
Telam service is boot time module which runs only during boot time.It protects against attack happening at boot level.As a result it is not meant to run during OS runtime.Hence It is showing stopped.
Please mark the solution as accepted ,if it helps.
01-06-2026 07:18 AM
Hello @J.Gammara ,
Greetings for the day!
Technical analysis of the telam service (specifically the telam.sys driver) indicates that its behavior and role differ from observations regarding local machine learning analysis. In the Cortex XDR architecture, local machine learning analysis is typically handled by other modules, such as the Local Analysis Worker (tlaworker.exe) on Windows or the CLAD service on Linux.
The telam service is a core system driver designed to comply with Microsoft’s Early Launch Anti-Malware (ELAM) specification.
When Active (During Boot):
The driver loads very early in the boot process, even before disk drivers. Its primary responsibilities are to:
Register the Cortex XDR agent as a trusted security product with the Windows Security Center (WSC)
Host the certificates and signatures required for the agent’s user-mode services (such as CyServer.exe) to run as an Anti-Malware Protected Process Light (AM-PPL)
Initialize agent tampering protection
When Stopped (Runtime):
Once these boot-time registration and self-protection initialization tasks are complete, the telam driver stops by design. Observing it in a Stopped state during runtime checks is expected behavior and does not indicate a malfunction.
The telam driver itself is a minimal driver that primarily serves as a container for certificates and does not actively manage resources or perform file analysis.
Resource consumption during the analysis of unknown files is handled by the Local Analysis components. For example, while the telam driver is stopped, the Local Analysis Worker may consume between 500 MB and 1000 MB of RAM during analysis operations, which is considered normal behavior on active servers.
For in-depth analysis of "Unexpected Stops" of the main services (which might be what your team actually needs to troubleshoot), you should look for "Memory allocation failed" or "Out of memory" errors in trapsd.log.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
