This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Disabling anti-tampering for a single endpoint

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Disabling anti-tampering for a single endpoint

Go to solution
pdysart
L2 Linker

‎08-24-2022 02:45 PM

We have XDR Agent Tampering Protection enabled for all of our 60,000+ endpoints.

Sometimes we need local tech coordinators to uninstall/reinstall XDR on the machine (usually an old corrupted agent version that will not upgrade or scan etc...)  

Is there a way to disable anti-tampering on specific endpoints without changing the Policy and effecting all of the other devices on the same policy?  

I am looking for a better solution to remove XDR from these devices than sending the Agent Cleaner and anti-tampering password.

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
nikoolayy1
L6 Presenter

‎09-08-2022 03:46 AM

You may try creating new "Agent Settings Profiles" profile with anti tampering stopped attach it to a new policy rule that is before your policy rule for the 60 000 stations and then set the target to the AD user / AD group or Endpoint group you want.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference/stages-command...

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/defin...

 

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
nikoolayy1
L6 Presenter

‎09-08-2022 03:46 AM

You may try creating new "Agent Settings Profiles" profile with anti tampering stopped attach it to a new policy rule that is before your policy rule for the 60 000 stations and then set the target to the AD user / AD group or Endpoint group you want.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference/stages-command...

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/defin...

 

0 Likes Likes

Go to solution
nikoolayy1
L6 Presenter

‎10-13-2022 02:23 PM

If you managed to get the needed answers, please flag the question as answered.

0 Likes Likes

Go to solution
PBurns
L2 Linker

‎10-14-2022 08:46 AM

You have the option of using the Cytool utility that comes as part of the agent. Cytool can be found at 'C:\Program Files\Palo Alto Networks\Traps\cytool.exe'. At an admin command prompt run 'cytool protect disable'. You can then stop services, uninstall or do whatever you need to do now tamper protect is disabled. 

 

echo passwordhere| "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable

 

For more information of Cytool and its usage see the agent admin guide:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

PB
0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2023 - Palo Alto Networks