Palo Alto Networks Security Advisories / PAN-SA-2022-0005

PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator



The Palo Alto Networks Product Security Assurance team is aware of a method that can enable a local administrator to tamper with the Windows registry to disable the Cortex XDR agent on devices running a Windows operating system.

As a result of this method, critical Windows system services would not be available and normal usage of the device would be disrupted. Please note, the device must be rebooted for this to take effect.

This issue is not a new security impact on the confidentiality, integrity, or availability of the system because a local Windows administrator has the ability to disrupt normal usage of the device without employing this method.

Product Status

Cortex XDR Agent All agents with a content update earlier than CU-860 on WindowsAll agents with CU-860 or a later content update

Required Configuration for Exposure

This method is applicable only to Cortex XDR agent deployments on Windows that use an allow list to exclude some local file system resources from analysis.

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.


This method is prevented by Cortex XDR agents on Windows with content update 860 and later content update versions.


Palo Alto Networks thanks Ary Dobrovolskiy, Milad Fadavvi of Zalando, Ben Tamam, Josh Shepard, Maarten Pentinga and Khalid Latifi for discovering and reporting tampering methods related to this issue.


Updated the content version necessary to prevent methods related to this issue
Updated the content version necessary to prevent methods related to this issue
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.