Install Traps Agent for Windows - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Traps Agent Administrator Guide
Product
Cortex XDR
Cortex XDR Agent
Version
5.0
Creation date
2022-09-01
Last date published
2023-01-04
Category
Administrator Guide

You can install Traps for Windows in any of the following scenarios:

  • Standard Traps installation—Intended for standard physical endpoints or persistent virtual endpoints. Install Traps Agent 5.0 Using the MSI or from the command-line using Install Traps Agent 5.0 Using Msiexec.

  • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed. This installation ensures that each agent installed on a new spawned session retains the policy defined on the golden image, thus reducing resource use and log creation. In addition, with VDI installation, the endpoint license returns to license pool either when the user logs off or ends the VDI session, or after a shorter timeout period than a standard Traps installation, thus ensuring that licenses are consumed only by active VDI. Follow the standard installation procedures for persistent endpoints or follow the procedure to Configure a Traps Agent in a Non-Persistent VDI.

  • Temporary session—(Traps 5.0.4 and later releases) Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed. After you install Traps, the Traps management service issues a license to the physical or virtual endpoint but will revoke the license after a short period of inactivity. When the machine reverts to the original state, and Traps is reinstalled, the machine receives a license again. To install Traps on a snapshot from which temporary sessions will spawn, Configure Traps for Temporary Sessions.

Install Traps Agent 5.0 Using the MSI

Use the following workflow to install the Traps agent using the MSI file.

  1. Before installing Traps™ agent 5.0 on a Windows endpoint, verify that the system meets the requirements described in Traps Agent for Windows Requirements.

  2. Download the Traps installer for Windows from the Traps management service.

    Ensure that you download the Windows installer for the Windows architecture (x64 or x86) installed on the endpoint.

  3. Run the MSI file on the endpoint.

    The installer displays a welcome dialog.

  4. Click Next.

  5. Install the agent.

    The installer displays a User Account Control dialog.

  6. Click Yes.

    The installer displays a reboot notification.

  7. Click OK.

  8. After you complete the installation, restart the endpoint and verify the Traps agent can establish a connection.

    Note

    If the Traps agent cannot register with the Traps management service, the agent does not retry registration. To retry, reinstall the Traps agent on the endpoint.

Install Traps Agent 5.0 Using Msiexec

Msiexec provides full control over the installation process and allows you to install, modify, and perform operations on a Windows Installer from the command line interface (CLI). You can also use Msiexec to log any issues encountered during installation.

You can also use Msiexec in conjunction with a System Center Configuration Manager (SCCM), Altiris, Group Policy Object (GPO), or other MSI deployment software to install Traps on multiple endpoints for the first time.

When you install Traps with Msiexec, you must install Traps per-machine and not per-user.

Although Msiexec supports additional options, Traps installers support only the options listed here. For example, with Msiexec, the option to install the software in a non-standard directory is not supported—you must use the default path.

  • /i<installpath>\<installerfilename>.msi—Install a package. For example, msiexec /i c:\install\traps.msi.

  • /qn—Displays no user interface (quiet installation).

  • /L*v <logpath>\<logfilename>.txt—Log verbose output to a file. For example, /l*v c:\logs\install.txt.

  • VDI_ENABLED=1—Use to install Traps on the golden image for a non-persistent VDI. This option identifies the session as a VDI in the Traps management service and applies license and endpoint management policy specific for non-persistent VDI. To set up Traps on a golden image for non-persistent VDI, see Configure a Traps Agent in a Non-Persistent VDI.

  • TS_ENABLED=1—Use to install Traps on the golden image for a temporary session. This option identifies the session as a temporary session in the Traps management service and to apply license and endpoint management policy specific for temporary sessions. To set up Traps on a golden image for temporary sessions, see Configure Traps for Temporary Sessions.

  • proxy_list—(Requires Traps agent 5.0.9 or later, supported by Cortex XDR only) Use to install Traps agents that communicate with the Cortex XDR server through an application-specific proxy. This option is relevant in environments where Traps agents communicate with Cortex XDR through a proxy, enabling you to control and manage the agent proxy configuration settings without affecting the communication of other applications on the endpoint.

Use the following workflow to install the Traps agent using Msiexec:

  1. Before installing Traps™ agent 5.0 on a Windows endpoint, verify that the system meets the requirements described in Traps Agent for Windows Requirements.

  2. Use one of the following methods to open a command prompt as an administrator.

    • Select StartAll ProgramsAccessories. Right-click Command prompt and Run as administrator.

    • Select Start. In the Start Search box, type cmd. Then, to open the command prompt as an administrator, press CTRL+SHIFT+ENTER.

  3. Run the msiexec command followed by one or more supported options and properties.

    For example:

    msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn

  4. After you complete the installation, restart the endpoint and verify the Traps agent can establish a connection.

    Note

    If the Traps agent cannot register with the Traps management service, the agent does not retry registration. To retry, reinstall the Traps agent on the endpoint.

Configure Cortex XDR Specific Proxy

In environments where Traps agents communicate with Cortex XDR through a proxy, you can define a system-wide proxy that affects all communication on the endpoint, or a Cortex XDR specific proxy that you can set, manage, and disable in Cortex XDR. This topic describes how to install a Cortex XDR agent on the endpoint and assign it a Cortex XDR specific proxy.

Note

The Traps agent does not support proxy communication in environments where proxy authentication is required.

  1. Install Traps Agent 5.0 Using Msiexec and include the proxy_list argument.

    The argument format is proxy_list=”<proxy>:<port>

    1. You can assign up to five different proxies per agent. For each proxy, enter the IP address and port number. You can also configure the proxy by entering the FQDN and port number. When you enter the FQDN, you can use both lowercase and uppercase letters. Avoid using special characters or spaces.

      For example:

      msiexec /i c:\install\cortexxdr.msi proxy_list=”My.Network.Name:808,10.196.20.244:8080”

    2. To install a Traps agent communicating through the Palo Alto Networks Broker Service, you must enter the Broker VM IP address and a port number. You can use default port 8888 or set another port number.

      Warning

      You are not permitted to configure port numbers between 0-1024 and 63000-65000, or port numbers 4369, 5671, 5672, 5986, 6379, 8000, 9100, 15672, 25672. Additionally, you are not permitted to reuse port numbers you already assigned to the Syslog Collector applet.

  2. After the initial installation, you can change the proxy settings if necessary from the Endpoints page of Cortex XDR.

Configure a Traps Agent in a Non-Persistent VDI

In non-persistent VDI mode, each session is temporary. When a user accesses a non-persistent virtual desktop and logs out at the end of the day, none of the user’s settings or data, which includes desktop shortcuts, backgrounds, and new applications, are preserved. At the end of a session, the virtual desktop is wiped clean and reverts back to the original pristine state of the golden image. The next time the user logs in, they receive a fresh image.

In non-persistent VDI mode, the machine exhibits the following behavior:

  • Licensing—With non-persistent virtual desktops, the Traps agent receives a license from the pool of available endpoint licenses. The Traps management service automatically returns the license to the license pool when the user logs off, the agent is uninstalled, the session ends, or when the VDI is inactive. Revoking the license frees it up for use by another Traps agent.

  • Connectivity—When the user logs on to the VDI machine, the Traps agent connects to the Traps management service to receive the license and to obtain the relevant updates. The Traps agent continues to communicate with the Traps management service throughout the life cycle of the VDI instance. The Traps agent only protects the machine when a user is logged in. When the user is logged out, the Traps agent disconnects from the Traps management service. During this time, Traps does not receive updated policies or verdicts and does not send heartbeat communications to the Traps management service.

  • Verdict updates—When you identify the golden image as a VDI, the Traps management service tracks all VDI machines that are spawned from the golden image. When a verdict for a file that was seen on the golden image changes in the Traps management service cache, the Traps management service sends the changed verdict to all machines that were spawned by the original VDI machine, regardless of whether these machines opened the relevant file or not.

  • Storage—In a non-persistent VDI, many VDI solutions allow you to choose either non-persistent or persistent storage. With non-persistent storage, the user settings and data are stored for the length of the session and are wiped clean when the session ends or a user logs out. With persistent storage, you can select folders or specific locations that persist after a session ends.

To ensure the Traps management service correctly identifies and treats the agent as a VDI agent, perform the following workflow on the golden image:

  1. Install any software that you plan to have on the VDI instances.

    1. On the golden image, Install Traps Agent 5.0 Using Msiexec and include the VDI_ENABLED=1 VDI flag.

      For example:

      msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn VDI_ENABLED=1

    2. Install additional required software.

  2. Scan your golden image for files and request verdicts.

    Use Cytool to scan your endpoint. We recommend this step to populate the golden image with verdicts for executable files, DLLs, and files containing macros. If you do not perform this step, the Traps agent has to evaluate each file when it attempts to run on an endpoint during each VDI session.

    1. Open a command prompt as an administrator and navigate to C:\Program Files\Palo Alto Networks\Traps.

    2. If you plan to output the scanning report to the Traps folder, you must run the cytool protect disable command to disable Traps service protection.

    3. Run the cytool imageprep scan [timeout <timeoutin hours>] [upload <upload timeout in minutes>][path <full path>] command where: the scan timeout is the number of hours you permit Cytool to run the scan (default is 4 hours), the upload timeout is the number of minutes that you permit Cytool to upload unknown files to assess the verdict (default is 95 minutes), and path is the path to the directory in which you want to output the scanning report.

      For example:

      C:\Program Files\Palo Alto Networks\Traps>cytool imageprep
scan timeout 4 upload 60 path c:\report
Start Time       : 17:56:46
Elapsed Time     : 00:04:17
State            : Running
Scanned Files    : 5427
Suspicious Files : 0
Failed Files     : 9
Volume Root Path : \\?\C:\
Window Usage     : 0                       236                       20000
Path             : ...t\cache2\entries\9B982CE198BF046E6CCF25478920DDFD9E5842E5

Scan completed successfully

Complete report can be found at: C:\report\imageprep_2018-03-06_08-59-30.xml

      Tip

      If you need to install additional software after performing this step, you must re-scan the endpoint to allow the Traps agent to obtain verdicts for the new software.

    4. If you previously disabled service protection, enable it using the cytool protect enable command after the scan is complete.

    5. Review any portable executable (PE) files that WildFire® determined to be malicious.

      1. Open the scan report in Microsoft Excel or an editor of your choice.

      2. Perform one of the following actions for each malicious PE file:

        • Remove the malicious file from the golden image.

        • If you believe the WildFire verdict is incorrect, override the verdict for the PE file on the Hash Exceptions page of the Traps management service. Then perform a Check In from the Traps console on the golden image.

  3. If you later rename the golden image, you must run the cytool vdi update to update the golden image name in the registry.

Configure Traps for Temporary Sessions

To ensure the Traps management service correctly identifies and manages the agent as a temporary session, perform the following workflow to install Traps on the snapshot: