For details on cookie usage on our site, read our Privacy Policy
Tracking Corrupt Cortex XDR Agents
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- Tracking Corrupt Cortex XDR Agents
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Tracking Corrupt Cortex XDR Agents
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-25-2021 08:01 AM
I am looking for any input on how other customers are handling situations where:
1. The agent is installed on a host and says it is checking in, but it does not appear in the Cortex XDR Console
2. The agent is corrupt and has stopped reporting back (due to a failed upgrade or otherwise)
I didn't know if anyone has any unique solutions for these situations. From a corrupt agent standpoint, it would be nice to have a Tenable plugin to report back the current signature versions.
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-12-2021 11:57 AM
Thank you for this, it is an option I wasn't aware of, and I will give this a try on a few agents to see.
When trying to delete and installation package from the console it DOES give a warning:"This will prevent new agents using the package, including VDI, from registering."
So I've never deleted a single package. Not sure if that will be an issue 5 years from now...
Our main issue has to do with the file system filter driver/main cyserver service.
Here's a bacth file I created to help with service issues. However this does NOT fix the cyvrfsfd filter issue we are seing.
NOT the silver bullet but might help to re-enable some agents...
-----------------------
@echo on
REM Stop the runtimes
echo PasswordHERE!!!|"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime stop
REM remove autoprotection
echo PasswordHERE!!!|"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable
sc create cyvrfsfd binpath= "C:\Program Files\Palo Alto Networks\Traps\cyvrfsfd.sys" type= filesys start= system error= normal group= "FSFilter Anti-Virus" tag= yes displayname= cyvrfsfd depend= FltMgr || sc config cyvrfsfd binpath= "C:\Program Files\Palo Alto Networks\Traps\cyvrfsfd.sys" type= filesys start= system error= normal group= "FSFilter Anti-Virus" tag= yes displayname= cyvrfsfd depend= FltMgr
sc create cyverak type= KERNEL start= system error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\cyverak.sys" tag= no displayname= cyverak || sc config cyverak type= KERNEL start= system error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\cyverak.sys" tag= no displayname= cyverak
sc create cyvrmtgn type= KERNEL start= system error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\cyvrmtgn.sys" tag= no displayname= cyvrmtgn || sc config cyvrmtgn type= KERNEL start= system error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\cyvrmtgn.sys" tag= no displayname= cyvrmtgn
sc create tedrdrv type= filesys start= system error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\tedrdrv.sys" group= "FSFilter Activity Monitor" tag= yes displayname= tedrdrv depend= FltMgr || sc config tedrdrv type= filesys start= system error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\tedrdrv.sys" group= "FSFilter Activity Monitor" tag= yes displayname= tedrdrv depend= FltMgr
sc create cyserver type= own start= auto error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\cyserver.exe" tag= no displayname= "Cortex XDR" depend= Cyvrmtgn/Cyverak/Cyvrfsfd/EventLog/CryptSvc/TEdrDrv || sc config cyserver type= own start= auto error= normal binpath= "C:\Program Files\Palo Alto Networks\Traps\cyserver.exe" tag= no displayname= "Cortex XDR" depend= Cyvrmtgn/Cyverak/Cyvrfsfd/EventLog/CryptSvc/TEdrDrv
REM Oh CRAP! sc start ftlmgr -> The specified service does not exist as an installed service
sc config FltMgr type= filesys start= boot error= critical binpath= "C:\Windows\system32\drivers\fltmgr.sys" group= "FSFilter Infrastructure" tag= yes displayname= FltMgr || sc create FltMgr type= filesys start= boot error= critical binpath= "C:\Windows\system32\drivers\fltmgr.sys" group= "FSFilter Infrastructure" tag= yes displayname= FltMgr
REM Set the services/drivers/filters to auto start, not required since we did it already.
REM sc config cyserver start= auto && sc config cyverak start=system && sc config cyvrmtgn start= system && sc config cyvrfsfd start= system && sc config tedrdrv start= system
REM Enable autoprotection
echo PasswordHERE!!!|"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect enable
REM start the services/drivers/filters. Use one or the other. Or both.
sc start cyverak & sc start cyvrmtgn & sc start cyvrfsfd & sc start tedrdrv & sc start cyserver
REM "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime start
REM Try reconnecting if communication with server has been disabled
echo PasswordHERE!!!|"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" reconnect
REM Update Cortex XDR from server
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" checkin
REM Check Protection determined by policy
REM echo PasswordHERE!!!|"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect policy
REM Query product components running state
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime query
REM Altitude and volumes for the filter can be found by issuing this command on an agent in working order:
REM fltmc instances
REM Filtre Nom du volume Altitude Nom de l’instance Cadre SprtFtrs VlStatus
REM -------------------- ------------------------------------- ------------ ---------------------- ----- -------- --------
REM cyvrfsfd 321234 Cyvera FSFD 0 00000007
REM cyvrfsfd C: 321234 Cyvera FSFD 0 00000007
REM cyvrfsfd 321234 Cyvera FSFD 0 00000007
REM cyvrfsfd \Device\Mup 321234 Cyvera FSFD 0 00000007
REM Saw this one once. Not bother fixing it for all. But here's the info if required.
REM SERVICE_NAME: telam
REM TYPE : 1 KERNEL_DRIVER
REM START_TYPE : 0 BOOT_START
REM ERROR_CONTROL : 1 NORMAL
REM BINARY_PATH_NAME : \SystemRoot\system32\drivers\telam.sys
REM LOAD_ORDER_GROUP : early-launch
REM TAG : 0
REM DISPLAY_NAME : telam
REM DEPENDENCIES :
REM SERVICE_START_NAME :
REM sc create telam binpath= "C:\Windows\system32\drivers\telam.sys" type= kernel start= boot error= normal group= "early-launch" tag= no displayname= telam
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-06-2021 11:22 PM
@thenetworksfine Thanks for your reply!
I haven't ever removed any old installation packages, I think, but it's worth checking out for sure.
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-06-2021 11:24 PM
Your reply could also be quite helpful, @Alexandre_Jodoin, thanks for sharing your solution!
You guys are giving me some interesting things to look at.
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-30-2021 06:18 PM
Hi @MParker4 , this seems like an issue with the agent. Please generate a support file for a few affected endpoints, create a Support Ticket, and upload the support files for the PANW TAC Engineers to investigate.
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
