Disabling anti-tampering for a single endpoint

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Disabling anti-tampering for a single endpoint

L2 Linker

We have XDR Agent Tampering Protection enabled for all of our 60,000+ endpoints.

Sometimes we need local tech coordinators to uninstall/reinstall XDR on the machine (usually an old corrupted agent version that will not upgrade or scan etc...)  

Is there a way to disable anti-tampering on specific endpoints without changing the Policy and effecting all of the other devices on the same policy?  

I am looking for a better solution to remove XDR from these devices than sending the Agent Cleaner and anti-tampering password.

1 accepted solution

Accepted Solutions

L6 Presenter

You may try creating new "Agent Settings Profiles" profile with anti tampering stopped attach it to a new policy rule that is before your policy rule for the 60 000 stations and then set the target to the AD user / AD group or Endpoint group you want.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference/stages-command...

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/defin...

 

View solution in original post

3 REPLIES 3

L6 Presenter

You may try creating new "Agent Settings Profiles" profile with anti tampering stopped attach it to a new policy rule that is before your policy rule for the 60 000 stations and then set the target to the AD user / AD group or Endpoint group you want.

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference/stages-command...

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/defin...

 

L6 Presenter

If you managed to get the needed answers, please flag the question as answered.

L2 Linker

You have the option of using the Cytool utility that comes as part of the agent. Cytool can be found at 'C:\Program Files\Palo Alto Networks\Traps\cytool.exe'. At an admin command prompt run 'cytool protect disable'. You can then stop services, uninstall or do whatever you need to do now tamper protect is disabled. 

 

echo passwordhere| "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable

 

For more information of Cytool and its usage see the agent admin guide:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-8/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

PB
  • 1 accepted solution
  • 6785 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!