Cytool for Windows
Table of Contents
4.2 (EoS)
Expand all | Collapse all
Cytool for Windows
To manage Traps functions from the command line on Windows
endpoints, use Cytool.
Cytool is a command-line interface (CLI) that is integrated
into Traps and enables you to query and manage both basic and advanced
functions of Traps. Any changes you make using Cytool are active
until Traps receives the next heartbeat communication from the ESM
Server.
On Windows endpoints, you can access Cytool using a Microsoft
MS-DOS command prompt that you run as an administrator. Cytool is
located in the
C:\Program Files\Palo Alto Networks\Traps
folder
on the endpoint.The following table displays the Cytool options available on
Windows endpoints.
Command Option | Description |
---|---|
enum | Enumerate protected processes. Usage: cytool enum For
example:
|
protect | Enable or disable a protection feature. Usage: cytool protect <action> <feature> where:
For
example:
|
startup | Enable, disable, or query the startup state
of Traps components. Usage: cytool startup <action> <component> where:
For example:
|
runtime | Stop or start product components. Usage: cytool runtime <action> <component> where:
For example:
|
policy | Query or compare the applied policy for
a process. Usage: cytool policy <action> <process> where:
For example,
to query the policy for future executions of notepad.exe:
For example, to compare the policy for future executions
of notepad.exe to the default policy:
|
log | Operate product log sessions. Usage: cytool log <action> where <action> is
one of the following:
|
quarantine | View and restore quarantined files. Usage:
|
stat | Query Traps statistics from a running process. Usage: cytool stat <pid> where <pid> For example, to display statistics about
the Chrome process identified by PID 4080:
|
tla | View the history of the Traps local analysis
module. Usage: cytool tla query For
example:
|
info | Display general Traps information. Usage: cytool info [query] To
display the Traps version, run the cytool info command
without any additional arguments. To display additional details
about Traps, such as the version of the default policy and the specific
build number, add the query argument. For example:
|
image | Display image information about a specific
PE file. Usage: cytool image <process_path> For
example:
|
wf | WildFire operations. Usage: cytool wf query [<hash>]
|