CylanceOPTICS

known issues

Due to a defect in

macOS

Ventura 13.0.0, if the

CylanceOPTICS

agent is installed on a device with

macOS

13.0.0 or a

CylanceOPTICS

device is upgraded to

macOS

13.0.0, the

CylanceOPTICS

agent may not be able to detect events. (EDR-14879)

Workaround:

To prevent this issue from occurring, install the agent on

macOS

Ventura 13.0.1 or later or upgrade directly to

macOS

Ventura 13.0.1 or later instead of 13.0.0. If you upgrade from 13.0.0 to 13.0.1 or later, remove the agent and install it again. If installing on 13.0.1 or later or upgrading to 13.0.1 or later is not possible at this time, remove full disk access for CyOptics and CyOpticsESFLoader then add full disk access for both again and restart the device.

If the API Sensor is enabled in the device policy that is assigned to

CylanceOPTICS

3.2.x devices with

Windows Server

2016 and

CylancePROTECT Desktop

agent 3.0.1003 or later, some applications such as

Chrome

and Powershell may stop working. This issue is resolved in the next release of the

CylanceOPTICS

agent. (EDR-10871)

Workaround:

Turn off the API Sensor in the device policy.

When you try to unlock a partially locked device from the management console, it may not unlock as expected. This issue occurs intermittently. (EDR-9690)

Workaround:

Try to unlock the device again from the management console (Select Action > Unlock device), or use the unlock key.

If you run an advanced query and try to generate focus data from the results, the focus description that is used to generate the data does not include the correct artifact information. (EDR-9414)

If you downgrade from

CylanceOPTICS

agent version 3.1 or later to version 3.0, the lockdown feature stops working. (EDR-9199)

Workaround:

Uninstall agent version 3.0 and install it again.

If you try to download a large file from InstaQuery results by clicking the Request File Download button, the request might not complete as expected (the button does not change to "Download File"). (EDR-7702)

If a remote session is active when the

CylanceOPTICS

agent is installed on a

macOS

Big Sur (11.x) device, the session disconnects when the installation is complete. (EDR-7180)

Workaround:

Start the remote session again.

When you view the detection details for an event and you request a file download for an instigating process or target file source, the status of the download changes back to "Request File Download" instead of "Download File". (EDR-7007)

The refract package for browser history that is available in the management console does not collect the expected data on

Linux

devices. (EDR-6917)

If you view the threats and activities for a device and you request data for an event, the focus view status remains at "Data Pending" indefinitely instead of updating to "View Data". (EDR-6779)

Workaround:

View another tab and return to the device's threats and activities.

When you view the status of a package deploy job and you filter the results by name, the operator displays as "Equals" even though it works as "Contains", and the filter is case sensitive. (EDR-6689)

When you view the results of an InstaQuery, the count for devices queried and devices responded might not be accurate. This issue occurs intermittently. (EDR-6523)

Performance counters for

macOS

and

Linux

do not include system counter data, such as CPU and memory. (EDR-5219)

If you use an ssh session to perform a silent uninstall of the

CylanceOPTICS

agent on a

macOS

Big Sur (11.x) device, /Applications/Cylance/ Optics/CyOpticsESFLoader.app remains and the system extension is still active. This issue occurs because

Apple

has no mechanism to silently uninstall system extensions without explicit confirmation by the end user. To resolve, use the finder to locate CyOpticsESFLoader.app and drag it to the trashcan, then confirm the UI prompt to deactivate and remove the system extension. For more information, see Troubleshooting: Removing the CylanceOPTICS agent from a macOS device.