Cortex XDR -Linux kernel module detected repeated ungraceful shutdowns

• Cortex XDR Agent Operational Status shows Partially Protected
• In the trapsd.log, the operational status is showing 20003 on multiple modules.

  • Current agent operational status {
    "antiLpeStatus": 20003,
    "antiexploitStatus": 0,
    "antimalwareStatus": 20003,
    "dseStatus": 20003,
    "edrStatus": 20003,
    "generalStatus": 0,
    "memoryStatus": 0
    }

• Operational Status Data shows Linux kernel module detected repeated ungraceful shutdown/s

• Endpoint was shutdown multiple times in an hour

• Cortex XDR Agents 6.x
• Cortex XDR Agents 7.x 
• Cortex XDR Agents 8.x
• Linux OS

Cortex XDR Agent has a protection mechanism that kicks in when the machine shuts down ungracefully multiple times in an hour.  When this occurs, the Kernam Module (KM) is unloaded and the agent protection is running asynchronously.

• Prior to Cortex XDR 7.1 protection mechanism disables KM after a single ungraceful shutdown.
• Starting with Cortex XDR 7.1, the protection mechanism kicks in when two (2) or more crashes occur in the last hour. 
• Multiple entries in the .load_lock file will prevent the KM from being loaded and entries need to be removed to allow KM to start back up.

Option 1:

1. Perform an upgrade of the Cortex XDR agent (major or minor upgrade).
2. The upgrade will recreate the .load_lock file and will release the ungraceful shutdown protection on the Cortex XDR core.

Option 2: Manually delete the .load lock file

1. Check the Agent's Operational Status (devices with a locked Kernel Module will show "Operational Status: Kernel Module Locked" whereas a healthy device will show "Operational Status: Functional"): 

    /opt/traps/bin/cytool status

2. Disable the Cortex XDR Agent with cytool commands:

   /opt/traps/bin/cytool runtime stop
   

3. Remove the load_lock file if it didn't automatically clear:

   rm "/etc/traps/km/.load_lock"

4. Enable the Cortex XDR Agent with cytool commands:

   /opt/traps/bin/cytool runtime start

5. Check the Agent's Operational Status again to ensure correct status:

   /opt/traps/bin/cytool status

• After agent services startstart-up .load lock file will be recreated. This is normal and it should allow the Cortex XDR core (kernel module) to start up unless it detects multiple (at least 2) ungraceful shutdowns in the same hour. 
• Note that even if the Agent shows Operational Status: Functional, it can take up to 15 minutes to properly reflect Protected on the XDR Tenant.
• If this issue occurs often, you should work with the server admin to address the multiple ungraceful shutdowns and minimize/prevent these from occurring. 

Option 3: Uninstall and re-install the Cortex XDR Agent.