Unprotected & Partially Protected operational status in Linux servers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unprotected & Partially Protected operational status in Linux servers

L3 Networker

Hello , 

Noticed in operational status Endpoint whose agent version is not upgraded mentioning status as protected ,unprotected & unprotected , 

After seeing operational status data came across 6 unique issue in servers . 

They are as follows:

1. 
"Xdr Data Collection Not Running Or Not SentLinux kernel module detected repeated ungraceful shutdown/s
Btp Not Working ,Linux kernel module detected repeated ungraceful shutdown/s
Antimalware Flow Is Asynchronous ,Linux kernel module detected repeated ungraceful shutdown/s
Local Privilege Escalation , Linux kernel module detected repeated ungraceful shutdown/s" .

2. "Xdr Data Collection Not Running Or Not Sent
Linux kernel module failed to load Btp Not Working
Linux kernel module failed to load ,Antimalware Flow Is Asynchronous
Linux kernel module failed to load
Local Privilege Escalation , Linux kernel module failed to load"

3. Btp Not Working Agent is not running, disabled by cytool
Antimalware Flow Is AsynchronousAgent is not running
Antiexploit Protection Agent is not running
Local Privilege Escalation Xdr Data Collection Not Running Or Not Sent .

4. "Antimalware Flow Is Asynchronous
Linux kernel version is not supported
Local Privilege Escalation Linux kernel version is not supported General Agent Status Agent running, without any valid content" 

5.Antimalware Flow Is Asynchronous Agent is not running
Antiexploit Protection Agent is not running
Local Privilege Escalation Agent is not running"

6."General Agent Status Agent running, without any valid content"

 

Kindly help me understand these 6 issues and a solution to how I can make linux server in protected mode . 

 

1 REPLY 1

L5 Sessionator

Hi @Shashanksinha ,

 

Thank you for writing to live community!

 

Case 1 is a circumstance when you must have linux endpoints where you had an ungraceful shutdown couple of times(maybe due to power/user shutting down etc.) and leading to the kernel integrity module to crash. Recommendation is to fix the endpoint with a proper reboot and reinstall Cortex XDR agent on the same

 

Case 2,3,4 and 5 are related to either incompatible kernel versions or not allowed permissions(applicable for MacOS endpoints) or no content updates reaching the agent since the time of agent installations.

 

Case 6 is another used case of agents without content update.

 

Each of the used cases has its own requirement in itself. The first and foremost requirement is definitely content updates. Please check with the network administration team to allow the URLs required to be whitelisted to enable access to Cortex XDR and its associated content as listed here.

 

For kernel incompatibility, though it can be addressed with content updates, however it is time taking and hence for the delta period, you can allow the linux endpoints to run in User Space mode by configuring the agent operation mode to User Space in the agent settings profile.

 

For MacOS endpoints please check if all system privileges are provided as required. 

 

Hope that answers you question.

  • 3220 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!