This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

cytray.exe "bad image" errors following Agent update

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

cytray.exe "bad image" errors following Agent update

cskoien
L2 Linker

‎03-03-2024 03:11 PM

Following the Cortex XDR Windows agent update to 8.3.0.49434 we started to see the following error affecting some application DLLs.

Clicking Ok makes the message go away and the application keeps working. TAC case was logged and an temporary Support Exception was added and applied to some affected hosts. This seemed to stop the error.

Wondering if anyone else is experiencing the same or similar issue? This affects approx. 2 DLLs on two separate applications of ours. I'd like to see a fix come in the form of an update to the Cortex XDR client, as applying a temporary support exception doesn't seem like a viable long term solution.

21 people had this problem.
Preview file
23 KB
(1)
44 REPLIES 44

emr_1
L5 Sessionator

‎03-03-2024 06:19 PM

We see same issue in several customer's environments. As far as I know, PAN will plan to fix the issue within 8.3.1 and 8.4.

Gerry_Fahy
L1 Bithead

‎03-04-2024 04:36 AM

Same issues here, with a specific application (Parallels)

cskoien
L2 Linker

‎03-04-2024 03:05 PM

Information from TAC:

"This is caused by a new feature enabled in 8.3, where we check the signature level of every DLL loaded into cytray.exe. The application's DLL must be unsigned or with a lower trusted level, which will result in the DLL being blocked by us and this pop-up to show. hence we have provided the SUEX to disable the feature.

At the moment the engineering team does not consider this issue as an actual bug inside the product, but rather a by-design behavior.

I would like to inform you that it might be fixed in the upcoming version of the XDR Agent, but we do not have an ETA for this."

 

I'd argue that its a bug. Its not an error handled by cytray.exe. Windows is throwing an error due to the action.

0 Likes Likes
(1)

AndyHartwell
L1 Bithead
In response to Gerry_Fahy

‎03-05-2024 04:38 AM

AndyHartwell_0-1709642134320.png   

AndyHartwell_1-1709642200546.png

 

We are also having problems with Parallels RAS.  The DLL Cytray is complaining about appears to be signed OK.

Interested to hear how you work around this. Parallels seem to think it is not a problem for them to fix.

Gerry_Fahy
L1 Bithead
In response to AndyHartwell

‎03-05-2024 04:43 AM

I raised an issue with support and they applied a test exception profile in Cortex dashboard. However, I'm still seeing this issue on some machines even though the exception has been applied.

 

AndyHartwell
L1 Bithead
In response to Gerry_Fahy

‎03-05-2024 06:44 AM

Seems we are reliant on Palo Alto to help with this. Response from Parallels - "This issue is unrelated to the Parallels RAS issue, so we suggest reaching out to Palo Alto support for further clarification and assistance."

AndyHartwell
L1 Bithead
In response to emr_1

‎03-05-2024 07:33 AM

Do you think its worth compiling a list of applications that we believe to be affected ?  At the moment PaloAlto don't seem to be at all interested but that may change if a long list of applications that they have broken were put together ?

 

0 Likes Likes

cskoien
L2 Linker
In response to AndyHartwell

‎03-05-2024 02:46 PM

Andy - The statement I got from Palo was "This is caused by a new feature enabled in 8.3, where we check the signature level of every DLL loaded into cytray.exe. The application's DLL must be unsigned or with a lower trusted level, which will result in the DLL being blocked by us and this pop-up to show. hence we have provided the SUEX to disable the feature."

I agree in that its not a problem for Parallels to fix. If its a feature of Cortex XDR then there should be some alerting/incidents relating to the block in the console, but there is nothing. Blanket disabling a newly introduced feature is not a solution.

 

0 Likes Likes

cskoien
L2 Linker
In response to AndyHartwell

‎03-05-2024 02:48 PM

Andy - I am waiting to hear back today with further information. I'm receiving mixed messages on whether Palo Alto plan to fix it in the next agent release. One response stated "late March" but had not firm release timeline.

0 Likes Likes

Jurriaan
L1 Bithead

‎03-06-2024 06:30 AM

Same here with DLL belonging to Teamviewer: "C:\Program Files (x86)\TeamViewer\tv_x64.dll"

cskoien
L2 Linker

‎03-06-2024 03:51 PM

Received confirmation that this issue will be resolved in the next release of the agent, tentative release date being late March 2024.

0 Likes Likes

huangyz
L0 Member
In response to cskoien

‎03-06-2024 05:09 PM

Yes,it's not a good solution.

0 Likes Likes

StephanRuediger
L0 Member

‎03-06-2024 11:26 PM

Hello,

 ZoomText 

Screenshot 2024-03-07 075638.png

0 Likes Likes

DovToren
L0 Member
In response to cskoien

‎03-08-2024 09:28 AM

Not an issue my a$$ .. Ever since 8.3.0 we get multiple alerts from a monitoring software that the Cortex XDR service has stopped. Digging into PC's and laptop's event logs, it appears it's cysvc.dll itself which is crashing; we see the same event log entry in all the the computers which reported the issue.

DovToren_0-1709918634451.png

 

  • 37912 Views
  • 44 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks