cytray.exe "bad image" errors following Agent update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

cytray.exe "bad image" errors following Agent update

L2 Linker

Following the Cortex XDR Windows agent update to 8.3.0.49434 we started to see the following error affecting some application DLLs.

Clicking Ok makes the message go away and the application keeps working. TAC case was logged and an temporary Support Exception was added and applied to some affected hosts. This seemed to stop the error.

Wondering if anyone else is experiencing the same or similar issue? This affects approx. 2 DLLs on two separate applications of ours. I'd like to see a fix come in the form of an update to the Cortex XDR client, as applying a temporary support exception doesn't seem like a viable long term solution.

44 REPLIES 44

L5 Sessionator

We see same issue in several customer's environments. As far as I know, PAN will plan to fix the issue within 8.3.1 and 8.4.

L1 Bithead

Same issues here, with a specific application (Parallels)

L2 Linker

Information from TAC:

"This is caused by a new feature enabled in 8.3, where we check the signature level of every DLL loaded into cytray.exe. The application's DLL must be unsigned or with a lower trusted level, which will result in the DLL being blocked by us and this pop-up to show. hence we have provided the SUEX to disable the feature.

At the moment the engineering team does not consider this issue as an actual bug inside the product, but rather a by-design behavior.

I would like to inform you that it might be fixed in the upcoming version of the XDR Agent, but we do not have an ETA for this."

 

I'd argue that its a bug. Its not an error handled by cytray.exe. Windows is throwing an error due to the action.

AndyHartwell_0-1709642134320.png   

AndyHartwell_1-1709642200546.png

 

We are also having problems with Parallels RAS.  The DLL Cytray is complaining about appears to be signed OK.

Interested to hear how you work around this. Parallels seem to think it is not a problem for them to fix.

I raised an issue with support and they applied a test exception profile in Cortex dashboard. However, I'm still seeing this issue on some machines even though the exception has been applied.

 

Seems we are reliant on Palo Alto to help with this. Response from Parallels - "This issue is unrelated to the Parallels RAS issue, so we suggest reaching out to Palo Alto support for further clarification and assistance."

Do you think its worth compiling a list of applications that we believe to be affected ?  At the moment PaloAlto don't seem to be at all interested but that may change if a long list of applications that they have broken were put together ?

 

Andy - The statement I got from Palo was "This is caused by a new feature enabled in 8.3, where we check the signature level of every DLL loaded into cytray.exe. The application's DLL must be unsigned or with a lower trusted level, which will result in the DLL being blocked by us and this pop-up to show. hence we have provided the SUEX to disable the feature."

I agree in that its not a problem for Parallels to fix. If its a feature of Cortex XDR then there should be some alerting/incidents relating to the block in the console, but there is nothing. Blanket disabling a newly introduced feature is not a solution.

 

Andy - I am waiting to hear back today with further information. I'm receiving mixed messages on whether Palo Alto plan to fix it in the next agent release. One response stated "late March" but had not firm release timeline.

L1 Bithead

Same here with DLL belonging to Teamviewer: "C:\Program Files (x86)\TeamViewer\tv_x64.dll"

L2 Linker

Received confirmation that this issue will be resolved in the next release of the agent, tentative release date being late March 2024.

Yes,it's not a good solution.

L0 Member

Not an issue my a$$ .. Ever since 8.3.0 we get multiple alerts from a monitoring software that the Cortex XDR service has stopped. Digging into PC's and laptop's event logs, it appears it's cysvc.dll itself which is crashing; we see the same event log entry in all the the computers which reported the issue.

DovToren_0-1709918634451.png

 

  • 38002 Views
  • 44 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!