Dear Live Community Members,
I have an issue and I'm struggling to find the reason behind it and need your help.
To give you some background on the problem at hand, my customer installed the Cortex XDR agent, and it works fine on some machines but on others when the installation process finished the problem occurred immediately and the PC is unusable.
Explorer stops working and the user is not able to do anything, he can use only the mouse but can't open any folders.
It also looks like the taskbar doesn't work, and if the user uses the keyboard's shortcut he's able to "navigate" in the file explorer or open the control panel and things like that.
We were also able to use the PC with the shortcut to do RDP on other computers and use some applications. But the ethernet NIC is like uninstalled and is not visible under the device manager or the network snap-in.
And during tests issue seems to be related to Cortex XDR, as after we uninstall the agent on the affected endpoint the problems disappear. The problems don't appear on all clients, and the customer doesn't have particular policies applied to these groups, he is blocking the USB devices but all other policies are at their default values.
This issue affects the Cortex XDR Prevent, versions 7.7.1.62043 to 7.7.2.1822, and all the clients are on Windows 10 PRO 21H2 or higher. And all the clients are HP's notebooks.
After checking the logs I could see that the user was removing the Sophos Anti-Virus prior to installing Cortex XDR, but can't see anything suspicious with the installation and why this issue occurs.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Windows Installer installed the product. Product Name: Cortex XDR 7.7.2.1822. Product Version: 7.7.2.1822. Product Language: 1033. Manufacturer: Palo Alto Networks, Inc.. Installation success or error status: 0.
Updated Cortex XDR™ Advanced Endpoint Protection status successfully to SECURITY_PRODUCT_STATE_ON.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I've also found an older entry in the logs for TrapsV2:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The description for Event ID 93 from source TrapsV2 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
The message resource is present but the message was not found in the message table
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I'm leaning forward to issues with the Windows, and I'm wondering if you maybe have some ideas.
Could it be that there are still some reminiscences of an old Traps installation on the endpoint (or any other security app) causing these issues?
Did anyone have a similar issue and could help out?
I will appreciate your help and any hints will be welcome to solve this issue.
Thank you in advance!
... View more