Troubleshooting Resources for Windows - 7.9 - 7.8 - Cortex XDR - Cortex XDR Agent - Cortex - Security Operations

Cortex XDR Agent Administrator Guide
Product
Cortex XDR
Cortex XDR Agent
Version
7.7
Creation date
2022-08-31
Last date published
2023-01-04
End_of_Life
EoL
Category
Administrator Guide

Resource

Description

Services, Drivers, and Processes

Services:

  • C:\Program Files\Palo Alto Networks\Traps\cyserver.exe

  • C:\Program Files\Palo Alto Networks\Cortex XDR Health Helper\xdrhealth.exe

Drivers:

  • C:\Program Files\Palo Alto Networks\Traps\cyverak.sys

  • C:\Program Files\Palo Alto Networks\Traps\cyvrmtgn.sys

  • C:\Program Files\Palo Alto Networks\Traps\cyvrfsfd.sys

  • C:\Program Files\Palo Alto Networks\Traps\tedrdrv.sys

  • C:\Program Files\Palo Alto Networks\Traps\tdevflt.sys

  • C:\Program Files\Palo Alto Networks\Traps\tedrpers-<version>.sys

  • C:\Windows\System32\drivers\telam.sys

Processes:

  • C:\Program Files\Palo Alto Networks\Traps\CyveraConsole.exe

  • C:\Program Files\Palo Alto Networks\Traps\tlaworker.exe (background process that is always running)

  • C:\Program Files\Palo Alto Networks\Traps\cytray.exe (background process that is always running)

  • C:\Program Files\Palo Alto Networks\Traps\cytool.exe

  • C:\Program Files\Palo Alto Networks\Traps\cydump.exe

  • C:\Program Files\Palo Alto Networks\Traps\cyreport.exe

  • C:\Program Files\Palo Alto Networks\Traps\cyrprtui.exe

  • C:\Program Files (x86)\Palo Alto Networks\Traps\cyreport.exe

  • C:\Program Files (x86)\Palo Alto Networks\Traps\cyrprtui.exe

Cortex XDR installation log

Specifies any errors encountered during installation of agent components. Use this log file when you need to troubleshoot installation issues. On Windows endpoints, the installer stores the log files in the %temp% or C:\Users\<user_name>\AppData\Local\Temp folder.

Cortex XDR agent service log

Indicates information, warnings, and errors related to the Cortex XDR. The Service log is located in the following folder on the endpoint:

  • Windows Vista or a later Windows OS%ProgramData%\Cyvera\Logs

  • Windows XPC:\Document and Settings\All Users\Application Data\Cyvera\Logs

Cortex XDR agent console log

Indicates information, warnings, and errors related to the agent console. The Console log is located in the following folder on the endpoint:

  • Windows Vista or a later Windows OSC:\Users\<username>\AppData\Roaming\Cyvera

  • Windows XPC:\Document and Settings\<username>\Application Data\Cyvera\Logs

Supervisor Command Line Tool (cytool.exe)

Allows you to manage agent features and perform advanced troubleshooting on the local endpoint from a command line interface. For more information, see Cytool for Windows.

Unknown files for analysis

The agent stores unknown files to send to Cortex XDR in the C:\ProgramData\Cyvera\Temp folder. After Cortex XDR submits a file to WildFire, the agent deletes the file from the Temp folder.

In some cases, third-party Antivirus (AV) applications raise an alert for this folder. If this occurs, we recommend that you whitelist this folder in the third-party AV application.

Cortex XDR Health Helper

Improves the upgrade process of the Cortex XDR agent, which monitors the machine at startup and initiates an upgrade rollback in case of a failed upgrade. As upgrades have multiple re-tries, the next try works on the agent of its original version with no interference. The service only runs at startup and remains in pause mode during other times. To ensure this service is not removed, a periodic task would re-instate the process in case it was removed.