We have an issue removing old and installing latest version of Cortex XDR.
Device is not showing in PaloAlto console as well.
I have red that someone is trying to cleanup system using xdragentcleaner.exe tool, but where can we get it?
Thank you in advance!
Hi @AndrisZebergs ,
Cortex XDR have tampering protection, which prevents any modification for the files or the processes for the agent, even if you are local administrator. Any attempt to uninstall or upgrade the agent manually (install on top, or uninstall and install new etc) will fail because XDR protection wouldn't allow to modify any of the files.
The proper way to re-install agent that doesn't communicate with console is:
1. Get the uninstall/supervisor password
2. Open CMD as admin and go to XDR folder C:\Program Files\Palo Alto Networks\Traps
3. Using XDR command line tool "cytool" disable tampering protection using the following command: > cytool.exe protect disable
You will be prompted to enter a password - you need to provide the supervisor (or known as uninstall) password
The tricky part is that this password is Global for all agents and it is configured in your XDR console.
When you generate installation package the password that is being used at the moment will be put in the msi and after that used by the agent after installation. If you change the supervisor password in the console, agent will get the new password automatically only if they are communicating with the console. The agents that have issues and haven't be communicating with the console will not receive the updated password, so they will stuck with the password that is being used when msi package used for the installation was created.
So if cytool does not accept your current uninstall password, try to use old password (if you have change it)
If you don't have the correct uninstall password I would suggest to contact support - they may have some ways, but from what I know there isn't any official way to remove XDR agent if you don't have the correct uninstall password.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!