Application Resilience policies for Cortex XDR Agent
You can activate an Application Resilience policy for Cortex XDR™ Agent to collect information about the functional status of Cortex XDR Agent installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.
Application Resilience policies for Cortex XDR Agent are supported on devices running:
- a supported version of the Windows operating system
-
PowerShell version 5.1 or higher
Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.
-
one of the following versions of Cortex XDR Agent:
-
7.x or higher
Significant software changes in higher versions may cause health checks to become invalid.
-
In addition to checking the version, the following table describes the health checks performed:
If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.
Component | Test performed | ||
---|---|---|---|
Services | Installed | Running | Signed by |
Cortex XDR (cyserver.exe) | P | P |
One of the signers entered in the policy configuration By default, Signers contains "Palo Alto Networks" and "Palo Alto Networks (Netherlands) B.V.". |
You can configure an Application Resilience policy for Cortex XDR Agent to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Cortex XDR Agent if it's not functioning, or reinstall it if it's missing or can't be repaired.
Depending on the Absolute product licenses associated with your account, the Report and repair option, and the Report, repair, and reinstall option may not be available.
The RAR component of the Secure Endpoint Agent can respond to the following issues:
Issue | Resolution |
---|---|
Repair | |
The Cortex XDR (cyserver.exe) service isn't running |
If the Supervisor password is configured correctly and Cytool is found on the device, the RAR component uses Cytool to restart the service. If the Supervisor password isn't configured correctly or Cytool isn't found on the device, the RAR component restarts the service. |
The Cortex XDR (cyserver.exe) service isn't installed and the service's executable can be detected on the device |
If the Supervisor password is configured correctly and Cytool is found on the device, the RAR component uses Cytool to disable tamper protection, and the RAR component reinstalls the service. If the Supervisor password isn't configured correctly or Cytool isn't found on the device, the RAR component reinstalls the service. |
Reinstall | |
Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken. |
|
The Cortex XDR (cyserver.exe) service isn't installed and the service's executable cannot be detected on the device | If the Supervisor password is configured correctly and Cytool is found on the device, the RAR component uses Cytool to disable tamper protection. If the Supervisor password isn't configured correctly or Cytool isn't found on the device, the RAR component skips disabling tamper protection. If Cortex XDR is installed on the device, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application. |
Cortex XDR Agent failed to be repaired, or the expected version isn't installed |
You can add a 32-bit installer, a 64-bit installer, or both. The installers:
-
must be MSI files
-
can have any file name
The RAR component looks for the following files names when checking pre-cached installers:
Component | File name |
---|---|
Installers | XDR_Installer.msi |
Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version in addition to the settings in Configuring Application Resilience policies.
To configure the application version:
-
Under Application Version, select 7.*+ from the drop-down.
-
Under Cortex XDR™ version, enter the version of Cortex XDR Agent you expect to be running on your devices.
- The target version must be a sequence of digits separated by a period.
-
You can use wildcard "*" characters after the major version number, for example, 7.*, 7.4.*, or 7.4.0.*.
Make sure the version you are entering is consistent with version 7.x or higher.
If you selected the Report and repair or Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.
To configure the Cortex XDR Agent specific settings:
- [Optional] Under Supervisor password, enter the Cortex XDR supervisor password.
- [Optional - Report, repair, and reinstall only] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration.
For more information on the supervisor password and available command-line installation parameters, see the Cortex XDR Agent documentation.