# FAQ: What do I do if I have Cortex XDR which causes unsuccessful installation of the Log Collector?

### **<span data-teams="true"><span class="ui-provider gm lr gk ls lt lu lv lw lx ly lz ma mb mc md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx" dir="ltr">Elastic Agent Main installation path (windows)</span></span>**

<span data-teams="true"><span class="ui-provider gm lr gk ls lt lu lv lw lx ly lz ma mb mc md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx" dir="ltr">When installing Elastic Agent on a Windows machine, the installation files are placed in specific directories. Below are the important paths to know for managing and troubleshooting the Elastic Agent.  
</span></span>

#### **Temporarily Disable Cortex XDR Antivirus**

To allow for a smooth installation, you may need to temporarily disable the Cortex XDR antivirus:

- **Disable Cortex XDR Antivirus:**
    - Start a CMD Prompt, PowerShell, or Windows Terminal as an **ADMINISTRATOR**
    - Type **cytool protect disable** and press **ENTER**
    - Type in the password 
        - The default password for Cortex XDR cytools is **Password1**
    - Wait for the tool to disable the Cortex services

#### **Main Installation Path**  


- The Elastic Agent’s main installation folder on Windows is located at: <div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative"><div class="sticky top-9 md:top-[5.75rem]">  
    </div><div class="overflow-y-auto p-4" dir="ltr">`<span class="hljs-section">C:\Program Files\Elastic\Agent</span>`</div></div>This directory contains the core Elastic Agent files, including the binaries necessary for the agent to function, configuration files, and various modules.

#### **Configuration Files**

- After installation, Elastic Agent's configuration files can be found under: <div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative"><div class="sticky top-9 md:top-[5.75rem]">  
    </div><div class="overflow-y-auto p-4" dir="ltr">`<span class="hljs-section">C:\Program Files\Elastic\Agent\elastic-agent.yml</span>`</div></div>The `elastic-agent.yml` file contains important configuration settings for data collection, integrations, and connectivity to the Elastic Stack.

#### **Log Files**

- Log files generated by Elastic Agent during its operation are stored at: <div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative"><div class="sticky top-9 md:top-[5.75rem]">  
    </div><div class="overflow-y-auto p-4" dir="ltr">`<span class="hljs-section">C:\Program Files\Elastic\Agent\logs</span>`</div></div>These logs are useful for monitoring the health of the agent and diagnosing any issues that arise during operation.

#### **Data Directory**

- The Elastic Agent stores its temporary data and downloaded module files in the following path: <div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative"><div class="sticky top-9 md:top-[5.75rem]">  
    </div><div class="overflow-y-auto p-4" dir="ltr">`C:\Program Files\Elastic\Agent\<span class="hljs-keyword">data</span>`</div></div>This directory is used to manage the agent’s internal state, cache data, and more.

#### **Uninstall Path**

- To uninstall Elastic Agent from the system, you can find the uninstallation files and services within the same main installation directory (`C:\Program Files\Elastic\Agent`), or you can uninstall it via the **Control Panel &gt; Programs and Features**.

By understanding and utilizing these paths, you can easily manage the Elastic Agent on a Windows machine, adjust configurations, troubleshoot issues, or perform updates and uninstallation.

**After locating the Installation path of Elastic Agent, proceed to the whitelisting step.**

### **Whitelist the Elastic Agent Installer in Cortex XDR**

- **Find the executable:** Determine the path or the exact name of the Elastic Agent installer or any processes it spawns.
- **Create an Allow List:**
    1. Log in to the Cortex XDR management console.
    2. Navigate to **Endpoints &gt; Policies**.
    3. Locate the policy that is enforcing restrictions on software installations.
    4. Go to the **Allow List** section.
    5. Add the **Elastic Agent installer** to the allow list by specifying its executable path or file hash.

### **Temporarily Disable Certain Cortex XDR Modules**

- Some Cortex XDR modules might block certain operations or files. You can temporarily disable specific modules rather than turning off Cortex XDR completely: 
    - **Disable Exploit Prevention:** If this module is causing the block, disable it temporarily during the installation.
    - **Disable Behavioral Threat Protection:** This can also interfere with installations.
- After the installation, turn the protection modules back on.

###  **Run the Installation in Exclusion Mode**

- You can try running the installer in a way that bypasses Cortex XDR monitoring for certain directories or processes. In the Cortex XDR management console, you can: 
    1. Create a **Folder Exclusion** for the folder where you’re installing the Elastic Agent.
    2. Go to **Endpoints &gt; Endpoint Protection**.
    3. In the **Exclusions** section, add the directory where Elastic Agent is being installed.

Cortex XDR file and folder exclusion link:   
[<span style="text-decoration: underline;">File and Folder exclusion link</span>](https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/adding-file-and-folder-exclusions/td-p/562296#:~:text=You%20can%20create%20exceptions%20rules%20to%20avoid%20files,Settings%20%E2%86%92%20Exception%20Configuration%20%E2%86%92%20Disable%20Prevention%20Rules)