Taegis Endpoint Agent Known Issues🔗
Windows🔗
Important
If you are experiencing a problem with Deep Process Inspection, one troubleshooting step to try is to uninstall third-party security products to triage and gather logs to help trace the issue to the root cause. This would be a temporary step to help isolate the issue so that the team can identify a fix.
Compatibility issues are often a result of multiple security products using the same points to hook into the operating system, causing conflicts with operations. Secureworks may need to work with the third-party vendor or others to identify and resolve the conflict.
Warning Message Regarding AMSI and Code Integrity🔗
The Taegis Endpoint Agent Antimalware Scan Interface (AMSI) provider DLL is loaded by the OS into processes that require evaluation/scanning of external scripts by a security product. Some of those processes may be Code Integrity (CI) mitigated to only allow Microsoft DLLs to be loaded. The Taegis Endpoint Agent AMSI provider DLL will be blocked from loading into those processes by the kernel because it isn't developed by Microsoft, and therefore isn't signed by Microsoft. Such instances may generate externally visible ETW or audit events. This is expected behavior for CI mitigated processes interacting with AMSI DLLs.
When this conflict occurs, there may be a minimal loss in telemetry.
Version 1.2.x and 2.x.x Compatibility Issues🔗
The Windows Taegis Endpoint Agent version 1.2.x and later introduces more instrumentation that raises the chances of conflicts with other products, specifically security products. The following sections serve to increase transparency about our compatibility:
Tested Compatible🔗
What we’ve tested directly that works:
- Bitdefender
- Windows Defender
- CrowdStrike
- FortiClient tested compatible with agent version 2.1.x
Telemetry Evidence of Compatibility🔗
What we have evidence of running without issue based upon Secureworks® Taegis™ XDR telemetry in the Secureworks® back end:
- Qualys Agent
- Sophos File Scanner
- Sophos Network Threat Protection
- zScaler
- Lansweeper
- Confer (Carbon Black Defense)
- Checkpoint Endpoint Security
- SentinelOne
Known Incompatible🔗
What we have confirmed have compatibility issues:
- ControlUp
- Forcepoint Websense
- Palo Alto Cortex XDR
- 64-bit Firefox running on computers with Windows Defender enabled in some configurations (fixed in agent version 2.1.2)
Note
Disabling Deep Process Inspection may enable you to troubleshoot interoperability issues resulting in BSOD or machines becoming inoperable. For more information, see Deep Process Inspection in Agent Group Policies.
Likely Conflict🔗
What we believe likely have issues based upon reports from the field:
- CylancePROTECT
Expand to view known issues for older versions
Version 2.0.8 Code Injection Issue🔗
On Windows Server 2016 with Deep Process Inspection enabled, there is a possibility of a code injection failing after reboot with hook already exists error. This is fixed in version 2.0.10.
Version 2.0.4 Remote Uninstall Issue🔗
Remote uninstall of the Taegis™ XDR Endpoint Agent version 2.0.4 is not consistently working. This is fixed in version 2.1.2.
Version 1.2.84 and 2.0.x Increased Telemetry Volume🔗
Windows Taegis Endpoint Agent versions 1.2.84 and 2.0.x can, dependent on the Windows machine configuration, create a higher volume of telemetry than the 1.0.x agent series.
Version 1.2.84 Intermittent Connectivity Issue🔗
Intermittent network connectivity issues may occur with version 1.2.84 when running patches KB5035854, KB5035853, KB5035853, and KB5035845. This is fixed in a later version.
Version 1.2.82 Configured Proxy Failure🔗
For the Windows Taegis Endpoint Agent version 1.2.82, agent does not have a fallback for communications when connectivity via configured proxy fails. This is fixed in a later version.
Version 1.2.44 File Copy Performance Degradation🔗
For the Windows Taegis Endpoint Agent version 1.2.44, file copy from hosts with agent installed degrades performance in some instances. This is fixed in version 1.2.84 and later.
Version 1.0.24 Connectivity Issue Caused by Windows Security Update🔗
Microsoft has issued an out-of-band (OOB) non-security update to address an issue caused by the October 2022 Windows security updates that triggers SSL/TLS handshake failures on client and server platforms.
From Windows: "We fixed an issue that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures. For developers, the affected connections are likely to send multiple frames followed by a partial frame with a size of less than 5 bytes within a single input buffer. If the connection fails, your app will receive the error, SEC_E_ILLEGAL_MESSAGE."
This issue has been found on the following releases and Windows has recommended the following OOB updates.
| Release | Out-of-Band Update | Link |
|---|---|---|
| Windows 10 | KB5020435 | Microsoft Update Catalog |
| Windows 11 | KB5020387 | Microsoft Update Catalog |
| Server 2016 | KB5020439 | Microsoft Update Catalog |
| Server 2019 | KB5020438 | Microsoft Update Catalog |
| Server 2022 | KB5020436 | Microsoft Update Catalog |
If you are having connectivity or any other issues, please reach out to our product support team via chat or support ticket.
Version 1.0.24 Veeam Backup and Recovery, Server, and DC Environments Known Conflict🔗
The Taegis Endpoint Agent for Windows version 1.0.24 or older release running on a Windows Server with Veeam backup may cause performance degradation, system crashes, or reboots, depending on the number of jobs being run. The issue has been resolved for most environments by installing Taegis Endpoint Agent version 1.0.26 and assigning these server endpoints to a Server Tier group policy with the following instructions:
- For new installations or reinstalling, create a new group with an assigned policy using the Server Tier if needed, and use the group registration key during installation.
- For agents already installed, create a new group with an assigned policy using the Server Tier if needed, and reassign agents to that group.
We do not recommend running older versions of the Taegis Endpoint Agent with Veeam Backup and Recovery on a Windows Server.
macOS🔗
Expand to view known issues for older versions
1.4.9🔗
- Tray and App no longer write to
/Library/Logs/, view using unified logger. This is a minor issue, as we rarely need to consult these logs for diagnosis. - Troubleshoot diagnostics may show errors for MDM configuration if settings are not in standard profiles.
Linux🔗
Expand to view known issues for older versions
1.3.9🔗
- Known compatibility issue with agent version 1.3.9 and Ubuntu 24.04; will not load drivers, either BPF or kernel modules. This is fixed in version 1.4.2.
- Likely compatibility issue with kernels 6.8 where distros running that kernel will not load eBPF or kernel modules. This is fixed in a later version.
1.0.x🔗
- No support for Secure Boot for CentOS and RHEL 7 for Linux agent versions <1.1. Version 1.1.x and later support RHEL and Centos OS with Secure Boot enabled.
General Known Issues🔗
- Unable to support the following RHEL kernels for CVEs. RHEL removed these kernels from package distribution, so we cannot pull in the kernel source to compile drivers. If you are on these kernels, we recommend you update as soon as possible.
| RHEL Kernel | CVE Link | Notes |
|---|---|---|
| RHEL8, kernel: 4.18.0-305.76.1.el8_4.x86_64 | https://access.redhat.com/errata/RHSA-2023:0531 | Although this references an rt kernel, we believe it affects all kernels of this version |
| RHEL8, kernel: 4.18.0-193.98.1.el8_2.x86_64 | https://access.redhat.com/errata/RHSA-2023:0395 | |
| RHEL9, kernel: 5.14.0-70.43.1.el9_0.x86_64 | https://access.redhat.com/errata/RHSA-2023:0526 | Although this references an rt kernel, we believe it affects all kernels of this version |