cytray.exe "bad image" errors following Agent update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

cytray.exe "bad image" errors following Agent update

L2 Linker

Following the Cortex XDR Windows agent update to 8.3.0.49434 we started to see the following error affecting some application DLLs.

Clicking Ok makes the message go away and the application keeps working. TAC case was logged and an temporary Support Exception was added and applied to some affected hosts. This seemed to stop the error.

Wondering if anyone else is experiencing the same or similar issue? This affects approx. 2 DLLs on two separate applications of ours. I'd like to see a fix come in the form of an update to the Cortex XDR client, as applying a temporary support exception doesn't seem like a viable long term solution.

44 REPLIES 44

Would you know where one would obtain this "SUEX "?

Cheers
jc

L1 Bithead

1) On effected machines, downgraded from 8.3.0 to 8.2.1

2) In CortexXDR Console created a policy preventing agent to be upgraded

3) Added effected machines to the policy

No more annoying popups. Waiting for new version.

L5 Sessionator

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008XKOCA2

 

FYI : The new KB posted which related to this issue.

L2 Linker

The PAN article says:

  1. To resolve the issue, please whitelist Cortex XDR Agent process on the affected 3rd party application to disable injection into Cortex XDR Agent process.

But no indication is given how to do that, so it is not helpful.

L0 Member

The whitelisting workaround works if there is a security product injecting DLLs in Cortex processes. But in case it is for example TeamViewer or another software's DLL, this is unfeasible because they do not have a whitelist to configure.

So I fixed our obseverd "cytray.exe - bad image' issue with a remote access software's pop up by white listing the .dll in the malware profile targeting the endpoints.

 

*(your tenant here).paloaltonetworks.com/exceptions-configuration/legacy-disable-prevention-rules should take you to where you can create your .DLL exception

 

Note I am not a Cortex XDR expert but this resolved our erronious and annoying popups

JoTrip, Thanks for posting. I tried your method with our Teamviewer .DLL but it didn't work unfortunately...

Anyone hear of a more concrete date yet this is to be released?

Agree @GrazianoG - not a feasible solution for applications like Teamviewer and 99.999999% of other apps out there.

None @CraigV123 - last I heard at the closure of my support ticket was "late March". I'm checking our tenant for the release of the updated version of the agent daily.

@cskoien same here. I appreciate the feedback. Support created me a support exception which seemed to fix the issue on the 1 application we were seeing it on. I'm curious how many more there will be though.

This is gone or the link is not working for me at least.

@DanRoberts Not working for me anymore either, maybe it got pulled? It wasn't a viable solution to begin with.

 

"Late March" has long gone. Checking daily also. Still no new version available.....

I'm not sure if it's related but I hit the feedback button on that article when it was still available (19-03). The same day I got an email from PA asking me to elaborate on what was unclear about the article. I gave them detailed feedback about what I thought was lacking and all the things I tried to get it working. Soon after that the article disappeared.

  • 39075 Views
  • 44 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!