Compare Policies
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Compare Policies
At regular intervals, Traps requests an updated
security policy from the ESM Server and stores it in the system
registry on Windows endpoints. When a user starts a process, Traps
determines whether or not to protect the process based on the settings
in the security policy.
In troubleshooting scenarios where
Traps does not behave as expected, use the cytool policy compare command
to view differences in policies that are applied to processes running
on the endpoint. Using the command, you can compare a policy for
a process to the default security policy or compare a policy for
a process to a policy for another process. In both cases, you can
specify either the name of the process or the process ID (PID).
Specifying the process name simulates the application of the policy
to the process. Specifying the PID queries the effective policy
for the running process. Cytool displays the policy settings side-by-side and
indicates any differences between policies in red.
To compare
policies, you must enter the supervisor password when prompted.
- Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
- Compare the details of two policies:
- To compare the policy to the default policy, use the following command:
C:\Program Files\Palo Alto Networks\Traps> cytool policy compare <process> defaultwhere <process> is either the process name or process ID (PID).The following example displays output for comparing a policy that applies to notepad to the default policy. Differences between the two policies are shown in red.C:\Program Files\Palo Alto Networks\Traps>cytool policy compare notepad default Enter supervisor password: Generic Enable 0x00000001 0x00000001 SuspendOnce 0x00000001 0x00000001 AdvancedHooks 0x00000001 0x00000001 [...] DllSec Enable 0x00000001 0x00000000 Optimize 0x00000001 0x000000011 [...] - To compare the policies for two processes, use the following command:
C:\Program Files\Palo Alto Networks\Traps> cytool policy compare <process1> <process2>where <process1> and <process2> are either the process name or process ID (PID). For example, to compare the policy applied to iexplorer to the policy applied to chrome, enter cytool policy compare iexplorer chrome. You can also compare the policies for two PIDs or compare the policy of a process to a policy of a PID.The following example displays output for comparing the policies applied to two PIDs, 1592 and 1000. Differences between the two policies are shown in red.C:\Program Files\Palo Alto Networks\Traps> cytool policy compare 1592 1000 Enter supervisor password: Generic Enable 0x00000001 0x00000001 SuspendOnce 0x00000001 0x00000001 AdvancedHooks 0x00000001 0x00000001 [...] DllSec Enable 0x00000001 0x00000000 Optimize 0x00000001 0x000000011 [...]