Download Cytool [EXCLUSIVE]

Just wondering if anyone else is experiencing this... We have about 600 XDR agents deployed and keep running into scenarios where the agents just seemingly randomly stop checking in. Nothing meaningful in the logs. Doing a cytool checkin does nothing. The agents disappear from the dashboard entirely making it reeeeeeallly hard to even determine that the agent has stopped communicating. If we use the XDRAgentCleaner to manually remove the agent and re-install it magically starts working just fine. We've seen it on multiple agent versions from 7.0 to 7.3. The last_checkin dates are all over the map.. It's just super odd. Palo support has been completely unhelpful.

@chaim_Avisrur If you prefer not to change the LD_LIBRARY_PATH, you can consider changing the working directory using

os.chdir('/opt/traps/bin') before executing cytool. That should pick up the libraries from the relative paths.

Download Cytool

Download 🔥 https://shurll.com/2y4Bb9 🔥

@chaim_Avisrur You're right. The library paths need to be set before the script is executed. If you can run a shell script from your management tool, you can set the library path in the script and execute "/opt/traps/bin/cytool reconnect force ". This way, your global library path won't be altered, and the script should still execute successfully within the temporary environment of the session.

yup, there is another way to do that, there is a possible way to stop service cyvrfsfd using cytool.exe also. (.\cytool.exe runtime stop cyvrfsfd), so we can initiate the same brute force attack vector to successfully disable the whole protection service.

Did you manage to get this sorted? I'm also having trouble with Cortex XDR (7.4.2,) Windows 10 (21H1) and App Layering (21.7.0.1006 with Full User layers). I've used Palo Alto's guidelines from here to install Cortex in the OS layer, with the VDI_ENABLED=1 flag, and it works fine inside that layer as long as it's just the layer open. But when I finalize the layer and publish an image from it, Cortex no longer works: the icon is red, I can't open the console (I get a message saying that the console is disabled by policy), and when I try to do a cytool vdi update, I get the message that this only works on VDI enabled images. So somewhere along the image publication process this gets scrambled.

Edit: Turns out I had Cortex XDR installed in an app layer too; perhaps it had auto-updated itself while I had that layer open. I have now created an exclusion for the app layerering master images to not auto-update. Once I removed that layer and re-built it, the Cortex console is again available, and it connects to the server just fine. But I'm still not able to run cytool vdi update, getting that same message about RpcClient: SendRequest: Error 13: VDI Update command is applicable for a vdi enabled instance only. But this is perhaps a different issue.

I think Cortex has a very good documentation for deploy via JAMF. All you need to upload Unified Configuration profile for Cortex for M1 and No M1. and deploy Cortex (installer in .zip folder) via JAMF. Remember you need to upload .zip folder to Jamf Admin (talking about Jamf Pro) don't know about Jamf Connect but believe that should work too. And deploy to the endpoint should work. This process was working for me till Cortex 7.6.2 but for this new version 7.7.2 it is not working for some reason. I had to stop the cortex service with command: sudo "/Library/Application Support/PaloAltoNetworks/Traps/bin/cytool" runtime stop all and you need to use your cortex password.

An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent.

4 Traps Troubleshooting Resources Troubleshooting Traps Troubleshooting Resources To troubleshoot Traps and the Endpoint Security Manager, use the following resources: Resource Endpoint Security Manager DebugWeb log Server log Service log Console log Database (DB) Configuration Tool (dbconfig.exe) Supervisor Command Line Tool (cytool.exe) Description Web interface, which provides reports and logs. The information is useful for monitoring and filtering the logs to interpret unusual behavior on your network. After analyzing a security event, you can choose to create a custom rule for the endpoint or process. Indicates information, warnings, and errors related to the Endpoint Security Manager. The DebugWeb log is located in the %ProgramData%\Cyvera\Logs folder of the ESM Server. Indicates information, warnings, and errors related to the Endpoint Database and ESM Server. The Server log is located in the %ProgramData%\Cyvera\Logs folder of the ESM Server. Indicates information, warnings, and errors related to the Traps service. The Service log is located in the following folder on the endpoint: Windows Vista and later: %ProgramData%\Cyvera\Logs Windows XP: C:\Document and Settings\All Users\Application Data\Cyvera\Logs Indicates information, warnings, and errors related to the Traps Console. The Console log is located in the following folder on the endpoint: Windows Vista and later: C:\Users\\AppData\Roaming\Cyvera Windows XP: C:\Document and Settings\\Application Data\Cyvera\Logs Command-line interface that provides an alternative to managing basic server settings using the ESM Console. You can access the DB Configuration Tool using a Microsoft MS-DOS command prompt run as an administrator. For more information, see Database Configuration Tool. Allows you to enumerate protected processes, enable or disable protection features, and enable or disable Traps management actions from a command line interface. For more information, see Cytool. 190 Traps 3.2 Administrator s Guide Palo Alto Networks, Inc.

8 Cytool Troubleshooting Access Cytool Step 3 View usage and options for the Cytool command: c:\program Files\Palo Alto Networks\Traps>cytool /? Traps (R) supervisor tool 3.1 (c) Palo Alto Networks, Inc. All rights reserved Usage: CYTOOL [/?] [/a] [command [options]] Options: /? Display this help message. /a Authenticate as supervisor. command enum protect startup runtime policy For more information on a specific command run CYTOOL command /? View Processes Currently Protected by Traps To view processes that Traps is currently injected into, run the enum command using Cytool or view the Protection tab on the Traps Console (see View Processes Currently Protected by Traps). By default, both the Traps Console and Cytool display only the protected processes run by the current user. To view protected processes run by all users, specify the /a option. Viewing protected processes run by all users requires you to enter the supervisor (uninstall) password. View Processes Currently Protected by Traps Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool). View protected processes initiated by the current user by entering the cytool enum command. To view protected processes for all users on the endpoint, specify the /a option, and enter the supervisor password when prompted. c:\program Files\Palo Alto Networks\Traps>cytool /a enum Enter supervisor password: Process ID Agent Version [...] 194 Traps 3.2 Administrator s Guide Palo Alto Networks, Inc.

9 Troubleshooting Cytool Manage Protection Settings on the Endpoint By default, Traps protects core processes, registry keys, Traps files, and Traps services according to the service protection rules defined in the security policy (for information about configuring service protection rules in the Endpoint Security Manager, see Manage Service Protection). You can use Cytool to override the security rules and manage the following layers of protection that Traps applies on the endpoint: Enable or Disable Core Process Protection on the Endpoint Enable or Disable Registry Protection Settings on the Endpoint Enable or Disable Traps File Protection Settings on the Endpoint Enable or Disable Service Protection Settings on the Endpoint Use the Security Policy to Manage Service Protection Enable or Disable Core Process Protection on the Endpoint By default, Traps protects core processes including Cyserver.exe and CyveraService.exe based on the service protection rules defined in the local security policy. If required, you can override the behavior of core process protection using the cytool protect [enable disable] process command. Changing the protection settings requires you to enter the supervisor (uninstall password). Enable or Disable Core Process Protection Settings on the Endpoint Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool). To manage the protection settings of core processes on the endpoint, use the following command: C:\Program Files\Palo Alto Networks\Traps>cytool protect [enable disable] process The following example displays output for enabling protection of core processes. The Mode column displays the revised protection status, either Enabled or Disabled, or Policy when using the settings in the local security policy to protect core processes. C:\Program Files\Palo Alto Networks\Traps>cytool protect enable process Enter supervisor password: Protection Mode State Process Enabled Enabled Registry Policy Disabled File Policy Disabled Service Policy Disabled To use the default policy rule settings to protect core processes on the endpoint, see Use the Security Policy to Manage Service Protection. Palo Alto Networks, Inc. Traps 3.2 Administrator s Guide 195

10 Cytool Troubleshooting Enable or Disable Registry Protection Settings on the Endpoint To prevent attackers from tampering with the Traps registry keys, use the cytool protect enable registry command to restrict access to the registry keys stored in HKLM\SYSTEM\Cyvera. To disable protection of the registry keys, use the cytool protect disable registry command. Making changes to the registry protection settings requires you to enter the supervisor (uninstall) password when prompted. Enable or Disable Registry Protection Settings on the Endpoint Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool). To manage the protection settings of registry keys on the endpoint, use the following command: C:\Program Files\Palo Alto Networks\Traps>cytool protect [enable disable] registry The following example displays output for enabling protection of registry keys. The Mode column displays the revised protection status, either Enabled or Disabled, or Policy when using the settings in the local security policy to protect registry keys. C:\Program Files\Palo Alto Networks\Traps>cytool protect enable registry Enter supervisor password: Protection Mode State Process Policy Disabled Registry Enabled Enabled File Policy Disabled Service Policy Disabled To use the settings in the local security policy to protect registry keys on the endpoint, see Use the Security Policy to Manage Service Protection. Enable or Disable Traps File Protection Settings on the Endpoint To prevent attackers from tampering with the Traps files, use the cytool protect enable file command to restrict access to the system files stored in %Program Files%\Palo Alto Networks\Traps and %ProgramData%\Cyvera (or C:\ Documents and Settings\All Users\Application Data\Cyvera on Windows XP). To disable protection of Traps files, use the cytool protect disable file command. Making changes to the Traps file protection settings requires you to enter the supervisor (uninstall) password when prompted. Enable or Disable Traps File Protection Settings on the Endpoint Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool). 196 Traps 3.2 Administrator s Guide Palo Alto Networks, Inc. e24fc04721