This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cyserver stopped by ntdll.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cyserver stopped by ntdll.

MarcoMJ
L1 Bithead

‎05-04-2024 12:38 AM

Hi team, 

 

Recently, We discovered endpoints that got disconnected from the console and there is no clue on trapsd why it happened because the agent didn't record logs since its last_seenn on the console, for example; the agent has a last_seen on 1 May 2024 and you reconnected the agent on 4 May 2024, there are no logs between 1 May and 4 May. We discover a log like this on application.evtx;

 

Faulting application name: cyserver.exe, version: 8.2.1.47908

Faulting module name: ntdll.dll, version: 10.0.19041.3636

Exception code: 0xc0000374 

Fault offset: 0x00000000000ff349 

Faulting process id: 0x1a90 

Faulting application path: C:\Program Files\Palo Alto Networks\Traps\cyserver.exe 

Faulting module path: C:\Windows\SYSTEM32\ntdll.dll 

 

After that, when we started to check other endpoints, we discovered the same situation, Does anyone know a little more about this or has this happened?

 

Thank you

 

Cortex XDR 

MarcoA
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎05-04-2024 07:41 PM

@MarcoMJ,

My current knowledge and hands-on experience with Cortex XDR is limited, but this has been a thing ever since they moved it to the cloud. I can't recall having as many issues locally outside of agent updates that failed.

 

What I would personally recommend doing is utilizing your inventory/AD/MDM/etc to get a list of computers that Cortex should show in console, and then utilize the API to identify any agents that aren't communicating properly. The script doesn't have to do anything difficult, simply look at the last connection time and pair it with a simple ICMP test. If the last connection time isn't today, and it's responding to ICMP, you have a bunk client that you need to fix.

I wish I had a better answer for you, but I spent a lot of time reporting agents that got disconnected and working to try and identify root cause so that I didn't have to spend as much time fixing things.

  • 340 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks