Cytool for Windows

To manage Traps functions from the command line on Windows endpoints, use Cytool.

Cytool is a command-line interface (CLI) that is integrated into Traps and enables you to query and manage both basic and advanced functions of Traps. Any changes you make using Cytool are active until Traps receives the next heartbeat communication from the Traps management service.

On Windows endpoints, you can access Cytool using a Microsoft MS-DOS command prompt that you run as an administrator. Cytool is located in the

C:\Program Files\Palo Alto Networks\Traps

folder on the endpoint.

The following table displays the Cytool options available on Windows endpoints.

Command Option	Description
enum	Enumerate protected processes. Usage: cytool enum For example: C:\Program Files\Palo Alto Networks\Traps> cytool enum Process ID Agent Version 6396 5.0.0.33808 6316 N/A 5788 5.0.0.33808 8576 5.0.0.33808 5532 5.0.0.33808 7244 5.0.0.33808 7160 5.0.0.33808 8596 5.0.0.33808 1064 5.0.0.33808 7820 5.0.0.33808 5156 5.0.0.33808 6904 5.0.0.33808
protect	Enable or disable a protection feature. Usage: cytool protect `<action><feature>` where: `<action>` —Changes protection for a Traps feature. Options are: enable , disable , policy , and query . The query option displays the protection status for each feature. `<feature>` —Specifies the feature for which you want to change the protection status. Options are process for Traps core processes, registry for Traps registry keys, file for Traps files, and service for Traps services. For example: C:\Program Files\Palo Alto Networks\Traps> cytool protect disable process Enter supervisor password: Protection Mode State Process Disabled Disabled Registry Policy Enabled File Policy Enabled Service Policy Enabled
startup	Enable, disable, or query the startup state of Traps components. Usage: cytool startup `<action><component>` where: `<action>` —Changes startup action for a Traps component. Options are: enable , disable , and query . The query option displays the startup status for each component. `<component>` —Specifies the component for which you want to change the startup action. To change the startup action for multiple components, list them with spaces separating each component. Options are: cyverak , cyvrmtgn , cyvrfsfd , cyserver , tlaservice , CyveraService , and twdservice . For example: C:\Program Files\Palo Alto Networks\Traps> cytool startup disable cyverak cyvrfsfd Enter supervisor password: Service Startup cyverak Disabled cyvrmtgn System cyvrfsfd Disabled cyserver Automatic CyveraService Automatic tlaservice Automatic twdservice Automatic
runtime	Stop or start product components. Usage: cytool runtime `<action><component>` where: `<action>` —Changes startup runtime action for a Traps component. Options are: start , stop , and query . The query option displays the startup status for each component. `<component>` —Specifies the component for which you want to change the runtime action, or you can specify all components by not including any in this command. To change the runtime action for a subset of components, list them with spaces separating each component. Options are: cyverak , cyvrmtgn , cyvrfsfd , cyserver , tlaservice , CyveraService , and twdservice . For example: C:\Program Files\Palo Alto Networks\Traps> cytool runtime stop cyserver cyverak Enter supervisor password: Service State cyverak Stopped cyvrmtgn Running cyvrfsfd Running cyserver Stopped CyveraService Stopped tlaservice Stopped twdservice Stopped
policy	Query or compare the applied policy for a process. Usage: cytool policy `<action><process>` where: `<action>` —Options are: query and compare . The query option displays the current applied policy for the process; the compare option enables you to compare the policy against the policy for another process or against the default policy. `<process>` —Either the process name or process ID (PID). For example, to query the policy for future executions of notepad.exe: C:\Program Files\Palo Alto Networks\Traps> cytool policy query notepad.exe Enter supervisor password: Generic Enable 0x00000001 LongHooks 0x00000000 StaticHooks 0x00000000 NoCallSplitting 0x00000000 InitSecurityCookie 0x00000000 DontInjectThinApp 0x00000001 LeanInjection 0x00000000 B01 Enable 0x00000000 BlockAPI 0x00000000 [...] For example, to compare the policy for future executions of notepad.exe to the default policy: C:\Program Files\Palo Alto Networks\Traps> cytool policy compare notepad.exe default Enter supervisor password: Generic Enable 0x00000001 0x00000001 LongHooks 0x00000000 0x00000000 StaticHooks 0x00000000 0x00000000 NoCallSplitting 0x00000000 0x00000000 InitSecurityCookie 0x00000000 0x00000000 DontInjectThinApp 0x00000001 0x00000001 LeanInjection 0x00000000 0x00000000 B01 Enable 0x00000000 0x00000000 BlockAPI 0x00000000 0x00000000 [...]
trace	Operate product trace sessions. Usage: cytool trace start `<log size>` —Starts the trace session and logs the results to a file with a maximum `<log size>` in MB (up to 25MB). cytool trace stop —Stops the trace session. cytool trace reset —Resets all tracing configurations to their default values. If an active logging session exists, Cytool will restart the session. cytool trace set `<component><level><flag>` , where: `<component>` can be either all (set the log level for all components) or one of the following individual components: cyvrlpc , cyvrfsfd , cyverak , cyvrmtgn , cyreport , cyserver , cyapi , cylnk , cyrprtui , cytray , tlaservice , tlaworker , tlacore , cytool , cyverau , cyinjct , cyvrtrap , cyvera , ntnativeapi , winutils , or panwd . `<level>` can be one of the following log levels: NONE , CRITICAL , ERROR , WARNING , INFO , VERBOSE , DEBUG , or ALL . `<flag>` is the mask (hex) of one or more trace flags (a maximum of 31) separated by spaces that Traps assigns to each trace when a program runs on the endpoint (for example 0x7FFFFFFF , or 0x5 ). The trace flag is a property of a trace provider (in this case, Traps) and determines which events Traps generates. You can use the trace flag to filter events that Traps traces. cytool trace convert <etl_file> [<tmf_file>] —Extract the encoded event trace log (ETL) file using a trace message format (TMF) file as a key to a file with the same name and store the result in %ProgramData%\Cyvera\Logs\Log.txt . When a TMF file is not supplied, Cytool uses the default TMF file stored in the %ProgramData\Cyvera\Logs\ folder to convert the ETL file. This command is not supported on Windows XP SP3.
quarantine	View and restore quarantined files. Usage: cytool quarantine list —List all quarantined files. cytool restore <ID> [<path>] —Restore files to their original location or to a path, if specified, by specifying the file ID.
stat	Query Traps statistics from a running process. Usage: cytool stat `<pid>` where `<pid>` is the process ID (PID). For example, to display statistics about the Chrome process identified by PID 4080: c:\Program Files\Palo Alto Networks\Traps> cytool stat 4080 DllSec Invocations: 0 DllSec Time: 00:00:00.0 G01 Invocations: 0 G01 Time: 00:00:00.0 G01 Thunk 00 Resolution: 0 G01 Thunk 01 Resolution: 0 G01 Thunk 02 Resolution: 0 G01 Thunk 03 Resolution: 0 G01 Thunk 04 Resolution: 0 G01 Thunk 05 Resolution: 0 G01 Thunk 06 Resolution: 0 G01 Thunk 07 Resolution: 0 G01 Thunk 08 Resolution: 0 G01 Thunk 09 Resolution: 0 G01 Thunk 10 Resolution: 0 G01 Thunk 11 Resolution: 0 G01 Thunk 12 Resolution: 0 G01 Thunk 13 Resolution: 0 G01 Thunk 14 Resolution: 0 G01 Thunk 15 Resolution: 0 G01 Stack Walk Resolution: 0 J01 Minimum Stack Depth: 166 J01 Checks: 25 J01 Stack Walk Checks: 0
tla	View the history of the Traps local analysis module. Usage: cytool tla query For example: C:\Program Files\Palo Alto Networks\Traps> cytool tla query FileType: Executable Build: 589 Timestamp: Sunday, February 11, 2018, 12:32:36 FileType: Dynamically Linked Library Build: 585 Timestamp: Wednesday, January 10, 2018, 12:37:20 FileType: Visual Basic Application Macro Build: 591 Timestamp: Monday, February 12, 2018, 11:11:04
info	Display general Traps information. Usage: cytool info [query] To display the Traps version, run the cytool info command without any additional arguments. To display additional details about Traps, such as the version of the default policy and the specific build number, add the query argument. For example: C:\Program Files\Palo Alto Networks\Traps> cytool info Traps (R) supervisor tool 5.0.0.33808 (c) Palo Alto Networks, Inc. All rights reserved General Traps information. USAGE: cytool info query C:\Program Files\Palo Alto Networks\Traps> cytool info query Content Type: 15 Content Build: 1997 Content Version: 15-1997 Event Log: 1 Quarantine Quota: 1048576 KB
wf	WildFire operations. Usage: cytool wf query [<hash>] C:\Program Files\Palo Alto Networks\Traps> cytool wf query 6D712E38945275FC534042191B02A8B34AA1CCED82486C98C1CE8935DDCF Enter supervisor password: Hash,Verdict,Override,Local Verdict,Model Version,Size,Type,Path,Time Stamp,Publishers 6d712e38945275fc534042191b02a8b34aa1cced82486c98c1ce8935ddcf, Unknown(2),No Override,Malware(1),593,55296,Executable(1), "\\?\C:\Users\admin\AppData\Local\Packages\Microsoft. MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\test-pe.exe", "Monday, March 12, 2018, 20:14:07","",Root,
imageprep	Prepare a golden image by submitting files for cloud analysis and generate a threats report. Usage: cytool imageprep [scan] [timeout `<scan timeout>`] [upload `<upload timeout>`] [path `<full path>`] where: `<scan timeout>` —The number of hours the scan is permitted to run before reporting an error. `<upload timeout>` —The number of minutes Traps can take to upload unknown files to the Traps management service before reporting an error. `<full path>` —Path to store the scan report. If no path is specified, Cytool saves the scan report to the local Cytool directory. To save files to this folder, you must disable service protection using the cytool protect disable command. For example: C:\Program Files\Palo Alto Networks\Traps> cytool imageprep scan timeout 4 upload 60 path c:\report Start Time : 17:56:46 Elapsed Time : 00:04:17 State : Running Scanned Files : 5427 Suspicious Files : 0 Failed Files : 9 Volume Root Path : \\?\C:\ Window Usage : 0 236 20000 Path : ...t\cache2\entries\9B982CE198BF046E6CCF25478920DDFD9E5842E5 Scan completed successfully Complete report can be found at: C:\report\imageprep_2018-03-06_08-59-30.xml
scan	Scan operations. Usage: cytool scan `<action>` where `<action>` : start —Scans the endpoint for malware. stop —Stops a scan. query —Displays the progress if a system scan is active. For example: C:\Program Files\Palo Alto Networks\Traps> cytool scan start Enter supervisor password: The operation completed successfully. C:\Program Files\Palo Alto Networks\Traps> cytool scan query Enter supervisor password: Start Time : 9:09:0648 Elapsed Time : 00:00:51 State : Running Scanned Files : 3944 Suspicious Files : 0 Failed Files : 1\?\C:\ Volume Root Path : \\?\C:\ 8 20000 Window Usage : 0 14 20000 Path : ...m.BubbleWitch3Saga_4.2.2.0_x86__kgqvnymyfvs32\res_output\particles\collected_counter_feathers.xml The operation completed successfully. C:\Program Files\Palo Alto Networks\Traps> cytool scan stop Enter supervisor password: The operation completed successfully.
persist	Traps stores policy and security event information, such as the list of trusted signers, local verdicts, and one-time actions in local databases on the endpoint. To troubleshoot policy issues and security events, you can use cytool persist operations to import, export, and view information stored in the local database. Usage: cytool persist `<action>` where `<action>` : list —Lists the local databases on the endpoint. export `[<database name>` \| `<database path>]` —Exports the database table to a file in the C:\Users\<user>\Documents\PaloAltoNetworks\Traps\cytool directory. import `[<database name>` \| `<database path>`] <file name> —Adds the records in a JSON file to the database. print `<database name>` \| `<database path>` [csv] —Prints the records in the database to a CSV file. To view a list of all local databases, use the cytool persist list command. C:\Program Files\Palo Alto Networks\Traps> cytool persist list Enter supervisor password: Persistent database list: security_events.db Database of security events (preventions) file_upload.db Database of files being uploaded to ESM hash_containers.db Database of files and containers hash_paths.db Database of file paths agent_actions.db Database of one time actions agent_settings.db Database of agent settings esm_frontend.db Database of ESM frontend settings esm_reports.db Database of ESM reports cloud_frontend.db Database of Cloud frontend settings cloud_reports.db Database of Cloud reports post_detection.db Database of post-detection candidates remediation_events.db Database of remediation events C:\Program Files\Palo Alto Networks\Traps> cytool persist export file_upload.db Enter supervisor password: persistence::DB: C:\ProgramData\Cyvera\LocalSystem\persistence\file_upload.db: Open persistence::DB: C:\ProgramData\Cyvera\LocalSystem\persistence\file_upload.db: Close
log	Set log level for the desired process. Usage: cytool log <log_level> <components> where: `<log_level>`—An integer value corresponding to the log level: 0 —Disable logging 1 —Fatal 2 —Critical 3 —Error 4 —Warning 5 —Notice 6 —Information 7 —Debug 8 —Trace `<components>` can be all or it can be one or more of the following Traps components: trapsd , authorized , pmd , or traps_agent . Then use the cytool log collect command to generate a support file archive of all logs in a TGZ file.
checkin	Initiate check-in to the server. Usage: cytool checkin To verify the checkin, view the check-in time on the Traps console.

Document:Traps™ Agent Administrator's Guide

Cytool for Windows

Cytool for Windows

Recommended For You

Document:Traps™ Agent Administrator's Guide

Cytool for Windows

Cytool for Windows

Recommended For You

Recommended Videos