Why did the EDR stopped working on a supported Linux OS and supported Kernel version after it was shutdown?

• Cortex XDR versions  6.0.x, 6.1.x and 7.0.x.
• EDR (Endpoint Detection and Response)

1. The Cortex XDR agent has a protection mechanism.
2. This mechanism kicks in when the machine is shuts down ungracefully.
3. If the Endpoint was turned off through the vCenter instead of using the appropriate command from a shell, the Cortex XDR Agent detects an abnormal machine shutdown and won't load the Kernel module
4. The Kernel model is needed for EDR to function, since its not loaded, EDR does not work

One can use the next command to identify why the Kernel module needed for EDR was not loaded

/etc/init.d/traps_core start

In this scenario It will lead to the next outcome: 

Loading Traps core...
Traps core detected a system error and prevented itself from loading!

To be sure its not due to a crash you can validate that the  crash directory is empty in the Cortex XDR agent Logs. 

The workaround for this issue is to stop the Agent, force-start the KM and then re-load the agent:

/opt/traps/bin/cytool runtime stop all            # stop the Agent
/etc/init.d/traps_core force-start                # force-start the KM
/opt/traps/bin/cytool runtime start all            # start the Agent