This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

susekar
L2 Linker

‎01-06-2026 07:18 AM

Hello @J.Gammara ,

 

Greetings for the day!

 

Technical analysis of the telam service (specifically the telam.sys driver) indicates that its behavior and role differ from observations regarding local machine learning analysis. In the Cortex XDR architecture, local machine learning analysis is typically handled by other modules, such as the Local Analysis Worker (tlaworker.exe) on Windows or the CLAD service on Linux.

Role & Impact

The telam service is a core system driver designed to comply with Microsoft’s Early Launch Anti-Malware (ELAM) specification.

When Active (During Boot):
The driver loads very early in the boot process, even before disk drivers. Its primary responsibilities are to:

  • Register the Cortex XDR agent as a trusted security product with the Windows Security Center (WSC)

  • Host the certificates and signatures required for the agent’s user-mode services (such as CyServer.exe) to run as an Anti-Malware Protected Process Light (AM-PPL)

  • Initialize agent tampering protection

When Stopped (Runtime):
Once these boot-time registration and self-protection initialization tasks are complete, the telam driver stops by design. Observing it in a Stopped state during runtime checks is expected behavior and does not indicate a malfunction.

Resource Usage

The telam driver itself is a minimal driver that primarily serves as a container for certificates and does not actively manage resources or perform file analysis.

Resource consumption during the analysis of unknown files is handled by the Local Analysis components. For example, while the telam driver is stopped, the Local Analysis Worker may consume between 500 MB and 1000 MB of RAM during analysis operations, which is considered normal behavior on active servers.


For in-depth analysis of "Unexpected Stops" of the main services (which might be what your team actually needs to troubleshoot), you should look for "Memory allocation failed" or "Out of memory" errors in trapsd.log.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Happy New year!!

 

Thanks & Regards,
S. Subashkar Sekar

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks