Features Introduced in Traps Agent 5.0 - Release Notes - 5.0 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Traps Agent Release Notes

Product
Cortex XDR
Cortex XDR Agent
Version
5.0
Creation date
2022-09-01
Last date published
2023-06-26
Category
Release Notes

Features Introduced in Traps Agent 5.0.12

There are no new features introduced in Traps agent 5.0.12.

Features Introduced in Traps Agent 5.0.11

There are no new features introduced in Traps agent 5.0.11.

Features Introduced in Traps Agent 5.0.10

There are no new features introduced in Traps agent 5.0.10.

Features Introduced in Traps Agent 5.0.9

The following table describes the new features introduced in Traps agent 5.0.9 release. Traps agent 5.0.9 is a Windows release supported only by the Cortex XDR app, and cannot be installed or supported using the Traps management service.

Feature

Description

Agent Proxy Settings in WPAD Environments

You can now install the Traps agent on endpoints that acquire their proxy settings through Web Proxy Auto-Discovery (WPAD) protocol. When the endpoint is set to Automatically detect settings in its network configuration, either manually or scripted, the Traps agent is now able to use the settings as automatically received through the defined PAC file. No additional agent settings are required for this use case.

Extending Configurable Agent Proxy Settings to Traps 5.0.9

In environments where Traps agents communicate with Cortex XDR through a wide-system proxy, you can now set an Set an Application Proxy for Cortex XDR Agents for the Traps agent without affecting the communication of other applications on the endpoint. You can assign set the proxy in one of three ways: during the Traps agent installation, or later on using Cytool on the endpoint or from Endpoints Management in Cortex XDR. You can assign up to five different proxies per agent, and the proxy for communication is selected randomly with equal probability. If the communication through the app-specific proxies fails, the Traps agent tries to use the system-wide proxy defined on the endpoint. If that fails as well, the Traps agent will try to communicate with Cortex XDR directly.

Features Introduced in Traps Agent 5.0.8

The following table describes the new features introduced in Traps agent 5.0.8 release.

Feature

Description

Support by Cortex XDR

You can now use Traps 5.0.8 and later 5.0 releases with Cortex XDR.

Features Introduced in Traps Agent 5.0.7

The following table describes the new features introduced in Traps agent 5.0.7 release.

Feature

Description

Hardened Passwords Using PBKDF2 Encryption

For increased security, the Traps agent uninstall password is now encrypted using a stronger encryption algorithm (PBKDF2) when transferred between Traps management service and the Windows agents. Traps management service automatically applies the stronger algorithm to the password for new installation packages (no password reset is required). The stronger encryption helps prevent attempts to obtain the password.

Content Update Distribution Enhancement

To reduce bandwidth load when distributing the latest content update, the Traps agent now staggers the time at which it will retrieve the content update from Traps management service. When a new content update is available, Traps agents randomly choose a time within a six hour window to retrieve the content update. This prevents bandwidth saturation due to a high volume and size of content updates.

Features Introduced in Traps Agent 5.0.6

There are no new features introduced in Traps agent 5.0.6.

Features Introduced in Traps Agent 5.0.5

There are no new features introduced in Traps agent 5.0.5.

Features Introduced in Traps Agent 5.0.4

The following table describes the new features introduced in Traps agent 5.0.4 release.

Feature

Description

Mimikatz Prevention

To prevent attackers from leveraging the Mimikatz tool to extract passwords from memory, Traps introduces a new Password Theft Protection module. The new protection module, which you can enable in a Malware Security profile for Windows endpoints, silently prevents attempts to steal credentials and does not currently provide notifications when these events occur. Mimikatz prevention is available with Windows Vista and later Windows releases.

Note

After you enable this protection module, this module is active following the next reboot on the endpoint.

Enhanced Support for Traps on Temporary Sessions

To enable you to logically distinguish temporary sessions from other VDI or standard installations, you can now identify a temporary session such as to a Remote Desktop Server. To identify temporary sessions that replicate from a snapshot, you specify the TS_ENABLED=1 Msiexec parameter when you install Traps. The Traps management service then issues a license to the Traps agent on the snapshot. A license returns to the license pool when the Traps agent is disconnected from the Traps management service for more than 90 minutes or the agent is uninstalled.

Local Analysis Verdicts by Feature Vector

To prevent Traps from blocking unknown files that are likely benign but for which local analysis suspects as malware, Support can now deliver a verdict for the feature vector of a file. A feature vector is a group or family of files that share similar characteristics but have different hashes. For example if you change a few bytes at the end of the file, that file and the original could be grouped under the same feature vector. After Support delivers a support exception to define a benign verdict for a feature vector, the Traps local analysis module can use the verdict to allow similar files to run.

New Operating System Support

Traps extends support to the following operating systems:

  • Windows Server 2016 Datacenter edition

  • Windows 10 Education

  • Windows 10 Update 1809

For complete compatibility information, refer to the Palo Alto Networks Compatibility Matrix.

Features Introduced in Traps Agent 5.0.3-h1

The following table describes the new features introduced in Traps agent 5.0.3-h1 release.

Feature

Description

macOS 10.14 Support

You can now install Traps on macOS 10.14. For complete compatibility information, refer to the Palo Alto Networks Compatibility Matrix.

User-Agent Identification for Traps Agent-Proxy Traffic

You can now exclude traffic between Amazon S3 (s3.amazonaws.com) and a proxy server from SSL decryption. To enable you to filter the agent-proxy traffic, Traps adds a new request header field to the HTTP CONNECT request it sends to the proxy server. The new User-Agent header field has a value of PaloAltoNetworks-Traps. Traps adds this new field only to HTTP CONNECT requests to the proxy server; the field is not added in requests sent to Amazon S3 or to the Traps management service.

Features Introduced in Traps Agent 5.0.3

The following table describes the new features introduced in Traps agent 5.0.3 release.

Feature

Description

Local Analysis of .NET Samples

To prevent unknown malware developed using the Microsoft .NET framework from running on Windows endpoints, local analysis can now analyze characteristics of .NET samples to determine the likelihood of malware. This enables Traps to identify and block malicious .NET samples before receiving an official WildFire verdict. This capability is automatically included when you enable local analysis in a malware security profile for Windows. As with the existing local analysis models, changes or updates to the models used to analyze .NET samples can be delivered by Palo Alto Networks in content updates.

Features Introduced in Traps Agent 5.0.2

The following table describes the new features introduced in Traps agent 5.0.2 release.

Feature

Description

Reverse Shell Protection for Linux

Traps now extends malware protection to Linux servers with Reverse Shell Protection. With this module, Traps detects suspicious or abnormal network activity from shell processes and terminates the malicious shell process.

Features Introduced in Traps Agent 5.0.1

Abstract

The following table describes the new features introduced in Traps agent 5.0.1 release.

Feature

Description

Shellcode Protection for Linux

Traps extends its exploit protection for Linux servers to include shellcode protection. This capability enables Traps to monitor processes that run code from unmapped locations and prevent processes from calling operating system functions that these processes shouldn't commonly use.

Extended Linux OS Support

Traps now supports Amazon Linux 2 LTS Candidate (2017.12) and Amazon Linux 2 LTS Candidate 2, Debian 8 and 9, and Oracle 6 and 7. For full OS compatibility, refer to the Palo Alto Networks Compatibility Matrix.

Features Introduced in Traps Agent 5.0.0.77

The following table describes the new features introduced in Traps agent 5.0.0.77 release.

Feature

Description

Traps for Android Installation Enhancement

The Traps app for Android now allows end users to supply the installation URL or distribution ID during activation. This enhancement allows users to complete activation if the distribution ID was not supplied or if the user attempts to install directly from the Google Play Store. For more information, see Install Traps App for Android in the Traps Agent 5.0 Administrator’s Guide.Install Traps App for Android

activation-by-url-id.png

Features Introduced in Traps Agent 5.0.0

Abstract

The following table describes the new features introduced in Traps agent 5.0.0 release.

Feature

Description

Traps for Android

The new Traps app for Android extends malware detection and prevention to Android endpoints. Traps for Android leverages both local analysis and threat-intelligence from WildFire to detect known malware. Traps for Android can also optionally submit the unknown apps to the Traps management service for further in-depth analysis by WildFire. From the Traps management service, you can monitor the health of the Traps app and view details about security events that occur on the Android endpoints in your organization. Traps for Android is supported on Android 4.4 and later releases.

traps-app-summary.png