This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Open Q&A
If there's no good subforum for your question - ask it here!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CrowdStrike falcon blocking Dynatrace agent /proc

ca6iya
Observer

‎19 Nov 2025 02:34 PM

don't see any subject regarding CrowdStrike falcon. did anyone figure out how to allow Dynatrace agent to get proc id after install or updates on Linux agents without creating exclusion to trust agent folder /opt/dynatrace/oneagent/agent/*

For some reason the new installs detect process and then disappear. Official Dynatrace documentation just points to allow agent to read /proc file. 

https://docs.dynatrace.com/docs/shortlink/troubleshoot-oneagent-installation#os-specific-troubleshoo...

 

Compatibility with antivirus software

Blocking mutex in the Linux kernel can cause CrowdStrike Falcon to block OneAgent when reading the process data from /proc, which contains one subdirectory per process running on the system.

  • When OneAgent tries to read /proc/<pid>, CrowdStrike Falcon blocks mutex in the kernel for process ID directory creation. OneAgent will be in uninterruptible state, which means you can clear the processes only by rebooting the server or waiting for the I/O to respond.
  • OneAgent installation can be affected at any time due to the lack of a single rule that causes the issue.
Labels:
0 Kudos
Reply
1 REPLY 1

JeanBlanc
Advisor

‎20 Nov 2025 10:47 AM

Hi @ca6iya

I haven’t encountered this situation myself, but what you describe matches the known behavior where CrowdStrike Falcon interferes with OneAgent’s access to /proc/<pid>.

Instead of excluding the entire OneAgent directory, you could try a more targeted approach:
identify the specific OneAgent binary responsible for process detection (under /opt/dynatrace/oneagent/agent/bin/...) and configure CrowdStrike so that this process is allowed to read /proc without being blocked at the kernel level. This helps limit the scope of the exception.

@ca6iya you might want to try the following procedure:

  1. When processes disappear, trace the OneAgent process (strace -p <oneagent_pid>) to pinpoint which syscall to /proc is being blocked.

  2. In CrowdStrike, create a rule that allows this OneAgent process/module to perform reads on /proc/<pid> rather than opening access to the entire agent directory.

  3. Restart the host and check if process detection remains stable in Dynatrace.

It’s a more fine-grained alternative to a full path exception, and it may help narrow down the source of the issue. Let us know if you manage to test it.

Regards,

0 Kudos
Reply
Ask a question

Featured Posts