Use Traps for Android - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Traps Agent Administrator Guide

Product
Cortex XDR
Cortex XDR Agent
Version
5.0
Creation date
2022-09-01
Last date published
2023-01-04
Category
Administrator Guide

When you first install Traps for Android, Traps scans all apps installed on the Android endpoint. For each app Traps detects, it generates a hash for the file and requests the file verdict from the Traps management service. If necessary, the Traps management service queries WildFire for the verdict.

After the initial scan, Traps inspects apps immediately as they are installed, and as automated or manual scans occur. For unknown apps, Traps performs local analysis to determine the likelihood an unknown app is malware while simultaneously sending the unknown file to the Traps management service for in-depth analysis. You can configure the behavior for both actions from the Traps management service in the Malware Security Profile for Android.

  1. View all apps.

    The Traps home page displays the status of anti-malware protection and each app that is installed on the Android endpoint. The summary area displays the total number of Blocked, Allowed, and Pending (unknown) apps. The summary automatically refreshes as Traps discovers new apps and receives updated or changed verdicts.

    traps-app-summary.png

    Traps identifies apps as one of the following categories:

    • Blocked—Traps blocks an app if the app has a Malware verdict as determined by WildFire or local analysis, is blocked by a hash exception policy, or is unknown. To block unknown apps, you must enable Traps to Block files with unknown verdict in your Malware Security Profile for Android endpoints. When Traps blocks an app due to a hash exception policy, Traps shows the app with a Block status.

    • Allowed—Traps allows an app to run if the app has a Benign verdict as determined by WildFire or local analysis, or is signed by a trusted signer. You can whitelist signers as part of your Malware Security Profile for Android endpoints.

    • Pending—A pending app is an app that has not yet received an official WildFire verdict. This includes apps for which Traps has used local analysis to issue a local verdict. Unknown apps are allowed to run only when this feature is enabled in the Traps policy.

    By default, the Traps home page orders the apps by most recent.

    To view the full list of apps, select VIEW MORE.

  2. Filter and sort apps.

    The Traps home page displays a summary of recent apps that have attempted to run on your endpoint. To easily jump to a filtered view by the app category (Blocked, Allowed, or Pending), you can tap the app category. From the Apps page, you can also sort the results by date (most recent or oldest) or app name (A to Z or Z to A). Sorting only applies to the app categories that you select.

    • Filter by app category

      From the Summary page, you can view the total number for the app category. For example, select the number of Blocked apps to view only blocked apps. Traps filters the results to display the results for the category of your choice.

      To restore results, select the excluded app categories (the categories which are grayed-out).

    • Sort by date

      1. From the Apps page, select the menu in the top right.

      2. Select Sort by.

      3. Select either Date (Most recent) or Date (Oldest).

      Traps sorts the results based on the sort date of your choice.

    • Sort by name

      1. From the Apps page, select the menu in the top right.

      2. Select Sort by.

      3. Select either App name (A to Z) or App name (Z to A).

      Traps sorts the results alphabetically based on your selection.

  3. Scan apps.

    From the Scans page in the app, you can review scan history and can initiate a new scan. When you first install Traps for Android, the app scans all user-installed apps on the endpoint. When Traps detects a new app, Traps requests the verdict from WildFire, optionally performs local analysis to determine the likelihood of malware, and allows or blocks the app based on your policy configuration. At regular intervals (by default, every 14 days), Traps also rechecks all verdicts with WildFire.

    1. From the Summary page, select the Traps menu at the top left.

    2. Select ScanSTART SCAN.

      scan-history.png

      Traps scans all apps and requests verdicts for the apps. Traps also displays a history of scans which includes the date and time the scan ran and the number of apps identified as malware or as benign.

  4. Take action on malware, blocked apps, and unknown files.

    When you attempt to run a malicious app, a blocked app (as defined by a hash exception policy), or an unknown app, Traps automatically blocks the app from running. If your configuration allows it, Traps can prompt you to ignore the malware verdict and allow the app to run (not recommended). You can also configure Traps to treat grayware the same as it does malware.

    If Traps identifies a malicious or suspicious (unknown) app, Traps stops the app from running on the Android endpoint and prompts you with the following actions:

    malware-and-prompt-mode.png
    • ALLOW—This option is exposed only if you enable the Prompt action mode in your Malware Security Profile. The option enables a user to ignore the malware (or unknown) verdict and permit the app to run. Use this option with caution.

    • STOP—Close the alert window until the next attempt to run the app.

    • UNINSTALL—Remove the malware from the Android endpoint by uninstalling the app.