PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator
The Palo Alto Networks Product Security Assurance team is aware of a method that can enable a local administrator to tamper with the Windows registry to disable the Cortex XDR agent on devices running a Windows operating system.
As a result of this method, critical Windows system services would not be available and normal usage of the device would be disrupted. Please note, the device must be rebooted for this to take effect.
This issue is not a new security impact on the confidentiality, integrity, or availability of the system because a local Windows administrator has the ability to disrupt normal usage of the device without employing this method.
|Cortex XDR Agent||All agents with a content update earlier than CU-630 on Windows||All agents with CU-630 or a later content update|
Required Configuration for Exposure
This method is applicable only to Cortex XDR agent deployments on Windows that use an allow list to exclude some local file system resources from analysis.
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This method is prevented by Cortex XDR agents on Windows with content update 630 and later content update versions.