Traps™ Agent Administrator's Guide
    : Cytool for Windows
    Focus
    Focus
    1. Home
    2. Traps
    3. Traps™ Agent Administrator's Guide
    4. Traps Agent 4.2 for Windows
    5. Troubleshooting Resources for Traps Agent for Windows
    6. Cytool for Windows

    Traps™ Agent Administrator's Guide

    Cytool for Windows

    Table of Contents

    Cytool for Windows

    To manage Traps functions from the command line on Windows endpoints, use Cytool.
    Cytool is a command-line interface (CLI) that is integrated into Traps and enables you to query and manage both basic and advanced functions of Traps. Any changes you make using Cytool are active until Traps receives the next heartbeat communication from the ESM Server.
    On Windows endpoints, you can access Cytool using a Microsoft MS-DOS command prompt that you run as an administrator. Cytool is located in the C:\Program Files\Palo Alto Networks\Traps folder on the endpoint.
    The following table displays the Cytool options available on Windows endpoints.
    Command OptionDescription
    enum
    Enumerate protected processes.
    Usage: cytool enum
    For example:
    C:\Program Files\Palo Alto Networks\Traps>cytool enum
Process ID      Agent Version
6396            4.2.0.33808
6316            N/A
5788            4.2.0.33808
8576            4.2.0.33808
5532            4.2.0.33808
7244            4.2.0.33808
7160            4.2.0.33808
8596            4.2.0.33808
1064            4.2.0.33808
7820            4.2.0.33808
5156            4.2.0.33808
6904            4.2.0.33808
    protect
    Enable or disable a protection feature.
    Usage: cytool protect <action> <feature>
    where:
    • <action>—Changes protection for a Traps feature. Options are: enable, disable, policy, and query. The query option displays the protection status for each feature.
    • <feature>—Specifies the feature for which you want to change the protection status. Options are process for Traps core processes, registry for Traps registry keys, file for Traps files, and service for Traps services.
    For example:
    C:\Program Files\Palo Alto Networks\Traps>cytool protect disable process
Enter supervisor password:

Protection      Mode            State
Process         Disabled        Disabled
Registry        Policy          Enabled
File            Policy          Enabled
Service         Policy          Enabled
    startup
    Enable, disable, or query the startup state of Traps components.
    Usage: cytool startup <action> <component>
    where:
    • <action>—Changes startup action for a Traps component. Options are: enable, disable, and query. The query option displays the startup status for each component.
    • <component>—Specifies the component for which you want to change the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: cyverak, cyvrmtgn, cyvrfsfd, cyserver, tlaservice, CyveraService, and twdservice.
    For example:
    C:\Program Files\Palo Alto Networks\Traps>cytool startup disable cyverak cyvrfsfd
Enter supervisor password:

Service         Startup
cyverak         Disabled
cyvrmtgn        System
cyvrfsfd        Disabled
cyserver        Automatic
CyveraService   Automatic
tlaservice      Automatic
twdservice      Automatic
    runtime
    Stop or start product components.
    Usage: cytool runtime <action> <component>
    where:
    • <action>—Changes startup runtime action for a Traps component. Options are: start, stop, and query. The query option displays the startup status for each component.
    • <component>—Specifies the component for which you want to change the runtime action, or you can specify all components by not including any in this command. To change the runtime action for a subset of components, list them with spaces separating each component. Options are: cyverak, cyvrmtgn, cyvrfsfd, cyserver, tlaservice, CyveraService, and twdservice.
    For example:
    C:\Program Files\Palo Alto Networks\Traps> cytool runtime stop cyserver cyverak
Enter supervisor password:

Service         State
cyverak         Stopped
cyvrmtgn        Running
cyvrfsfd        Running
cyserver        Stopped
CyveraService   Stopped
tlaservice      Stopped
twdservice      Stopped
    policy
    Query or compare the applied policy for a process.
    Usage: cytool policy <action> <process>
    where:
    • <action>—Options are: query and compare. The query option displays the current applied policy for the process; the compare option enables you to compare the policy against the policy for another process or against the default policy.
    • <process>—Either the process name or process ID (PID).
    For example, to query the policy for future executions of notepad.exe:
    C:\Program Files\Palo Alto Networks\Traps>cytool policy query notepad.exe
Enter supervisor password:

Generic
  Enable         0x00000001
  LongHooks                     0x00000000
  StaticHooks                   0x00000000
  NoCallSplitting               0x00000000
  InitSecurityCookie            0x00000000
  DontInjectThinApp             0x00000001
  LeanInjection                 0x00000000

B01
  Enable                        0x00000000
  BlockAPI                      0x00000000
[...]
    For example, to compare the policy for future executions of notepad.exe to the default policy:
    C:\Program Files\Palo Alto Networks\Traps>cytool policy compare notepad.exe default
Enter supervisorpassword:

Generic
  Enable                            0x00000001                 0x00000001
  LongHooks                         0x00000000  0x00000000
StaticHooks                       0x00000000                 0x00000000
  NoCallSplitting                   0x00000000                 0x00000000
  InitSecurityCookie                0x00000000                 0x00000000
  DontInjectThinApp                 0x00000001                 0x00000001
  LeanInjection                     0x00000000                 0x00000000

B01
  Enable                            0x00000000                 0x00000000
  BlockAPI                          0x00000000                 0x00000000
[...]
    logOperate product log sessions.
    Usage: cytool log <action>
    where <action> is one of the following:
    • start <log_size>—Starts the log session and logs the results to a file with a maximum size in MB (up to 25MB).
    • stop—Stop the log session.
    • reset—Reset all logging configurations to their defaults. If an active logging session exists, it will be restarted.
    • set <component> <log_level> <flag> where:
      • <component> can be either all (set the log level for all components) or one of the following individual components: cyvrlpc, cyvrfsfd, cyverak, cyvrmtgn, cyreport, cyserver, cyapi, cylnk, cyrprtui, cytray, tlaservice, tlaworker, tlacore, cytool, cyverau, cyinjct, cyvrtrap, cyvera, ntnativeapi, winutils, or panwd.
      • <level> can be one of the following log levels: NONE, CRITICAL, ERROR, WARNING, INFO, VERBOSE, DEBUG, or ALL.
      • <flag> is the mask (hex) of one or more trace flags (a maximum of 31) separated by spaces that Traps assigns to each trace when a program runs on the endpoint (for example 0x7FFFFFFF, or 0x5). The trace flag is a property of a trace provider (in this case, Traps) and determines which events Traps generates. You can use the trace flag to filter events that Traps traces.
    • convert <etl_file> [<tmf_file>]—Extract the encoded event trace log (ETL) file using a trace message format (TMF) file as a key to a file with the same name and store the result in %ProgramData%\Cyvera\Logs\Log.txt. When a TMF file is not supplied, Cytool uses the default TMF file stored in the %ProgramData\Cyvera\Logs\ folder to convert the ETL file.
      This command is not supported on Windows XP SP3.
    Examples:

  CYTOOL log convert %ProgramData%\Cyvera\logs\traps_native_log.4.0.0.0.etl
    Converts the default log file (.etl) with log.tmf that is located in the same folder.

  CYTOOL log set cyvrtrap ERROR 0x5
    Sets cyvrtrap's configuration to produce ERROR traces of first and third flags.

  CYTOOL log set all VERBOSE 0x7FFFFFFF
	Sets all components configuration to produce VERBOSE traces with all flags.
    quarantineView and restore quarantined files.
    Usage:
    • cytool quarantine list—List all quarantined files.
    • cytool restore <ID> [<path>]—Restore files to their original location or to a path, if specified, by specifying the file ID.
    statQuery Traps statistics from a running process.
    Usage: cytool stat <pid>
    where <pid> is the process ID (PID).
    For example, to display statistics about the Chrome process identified by PID 4080:
    c:\Program Files\Palo Alto Networks\Traps> cytool stat 4080
DllSec Invocations: 0
DllSec Time: 00:00:00.0
G01 Invocations: 0
G01 Time: 00:00:00.0
G01 Thunk 00 Resolution: 0
G01 Thunk 01 Resolution: 0
G01 Thunk 02 Resolution: 0
G01 Thunk 03 Resolution: 0
G01 Thunk 04 Resolution: 0
G01 Thunk 05 Resolution: 0
G01 Thunk 06 Resolution: 0
G01 Thunk 07 Resolution: 0
G01 Thunk 08 Resolution: 0
G01 Thunk 09 Resolution: 0
G01 Thunk 10 Resolution: 0
G01 Thunk 11 Resolution: 0
G01 Thunk 12 Resolution: 0
G01 Thunk 13 Resolution: 0
G01 Thunk 14 Resolution: 0
G01 Thunk 15 Resolution: 0
G01 Stack Walk Resolution: 0
J01 Minimum Stack Depth: 166
J01 Checks: 25
J01 Stack Walk Checks: 0
    tlaView the history of the Traps local analysis module.
    Usage: cytool tla query
    For example:
    C:\Program Files\Palo Alto Networks\Traps>cytool tla query
FileType:  Executable
Build:     589
Timestamp: Sunday, February 11, 2018, 12:32:36

FileType:  Dynamically Linked Library
Build:     585
Timestamp: Wednesday, January 10, 2018, 12:37:20

FileType:  Visual Basic Application Macro
Build:     591
Timestamp: Monday, February 12, 2018, 11:11:04
    infoDisplay general Traps information.
    Usage: cytool info [query]
    To display the Traps version, run the cytool info command without any additional arguments. To display additional details about Traps, such as the version of the default policy and the specific build number, add the query argument. For example:
    C:\Program Files\Palo Alto Networks\Traps>cytool info
Traps (R) supervisor tool 4.2.0.33808
(c) Palo Alto Networks, Inc. All rights reserved

General Traps information.

USAGE: cytool info query

C:\Program Files\Palo Alto Networks\Traps>cytool info
query
Content Type: 15
Content Build: 1997
Content Version: 15-1997
Event Log: 1
Quarantine Quota: 1048576 KB
    image
    Display image information about a specific PE file.
    Usage: cytool image <process_path>
    For example:
    C:\Program Files\Palo Alto Networks\Traps>cytool image C:\Windows\system32\cmd.exe
cytool image  C:\Windows\system32\cmd.exe
Image Information
Location:     C:\Windows\system32\cmd.exe
Size:         267.50 KB (273920 bytes)
File SHA256:  9a7c58bd98d70631aa1473f7b57b426db367d72429a5455b433a05ee251f3236
Architecture: x86-64
Subsystem:    Windows CUI
PE Size:      267.50 KB (273920 bytes) (same as file size)
    wfWildFire operations.
    Usage: cytool wf query [<hash>]
    C:\Program Files\Palo Alto Networks\Traps>cytool wf query 6D712E38945275FC534042191B02A8B34AA1CCED82486C98C1CE8935DDCF
Enter supervisor password:

Hash,Verdict,Override,Local Verdict,Model Version,Size,Type,Path,Time Stamp,Publishers
6d712e38945275fc534042191b02a8b34aa1cced82486c98c1ce8935ddcf,
Unknown(2),No Override,Malware(1),593,55296,Executable(1),
"\\?\C:\Users\admin\AppData\Local\Packages\Microsoft.
MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\test-pe.exe",
"Monday, March 12, 2018, 20:14:07","",Root,

    © 2024 Palo Alto Networks, Inc. All rights reserved.