Cannot upgrade Cortex XDR from 7.4 to 7.8.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cannot upgrade Cortex XDR from 7.4 to 7.8.1

L1 Bithead

Hello.

 

We have an issue removing old and installing latest version of Cortex XDR. 

Device is not showing in PaloAlto console as well.

I have red that someone is trying to cleanup system using xdragentcleaner.exe tool, but where can we get it?

 

Thank you in advance!

 

 



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
1 accepted solution

Accepted Solutions

I have created ticket for support and got cleanup tool, which is working perfectly. 

 

View solution in original post

3 REPLIES 3

Hi @AndrisZebergs ,

 

Cortex XDR have tampering protection, which prevents any modification for the files or the processes for the agent, even if you are local administrator. Any attempt to uninstall or upgrade the agent manually (install on top, or uninstall and install new etc) will fail because XDR protection wouldn't allow to modify any of the files.

 

The proper way to re-install agent that doesn't communicate with console is:

1. Get the uninstall/supervisor password

2. Open CMD as admin and go to XDR folder C:\Program Files\Palo Alto Networks\Traps

3. Using XDR command line tool "cytool" disable tampering protection using the following command: > cytool.exe protect disable

You will be prompted to enter a password - you need to provide the supervisor (or known as uninstall) password

 

The tricky part is that this password is Global for all agents and it is configured in your XDR console.

When you generate installation package the password that is being used at the moment will be put in the msi and after that used by the agent after installation. If you change the supervisor password in the console, agent will get the new password automatically only if they are communicating with the console. The agents that have issues and haven't be communicating with the console will not receive the updated password, so they will stuck with the password that is being used when msi package used for the installation was created.

 

So if cytool does not accept your current uninstall password, try to use old password (if you have change it)

 

If you don't have the correct uninstall password I would suggest to contact support - they may have some ways, but from what I know there isn't any official way to remove XDR agent if you don't have the correct uninstall password.

 

 

I do have password. Uninstall failed after disabling servicing as well. See attached screenshots from first message. 

Clipboard02.jpg

I have created ticket for support and got cleanup tool, which is working perfectly. 

 

  • 1 accepted solution
  • 3247 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!