The Traps™ agent protects Linux servers by preventing
known and unknown malware from running by halting any attempts to
leverage software exploits and vulnerabilities to compromise the
server. Traps also extends exploit and malware protection to processes that
run in Linux containers. When you install Traps on a Linux
server that uses containers, Traps automatically protects any new
and existing containerized processes regardless of the container
solution (for example, docker). Because Cortex XDR issues the license
per Linux server, each container does not consume any additional
The protection capabilities and features that Traps for Linux
enables depend, in part, on your security policy configuration and
the kernel version that is installed. Protection capabilities such
as Behavioral Threat Protection, ELF file analysis, and endpoint
data collection and sharing for EDR all require a supported kernel
version. If you deploy Traps on a Linux server that is not
running one of the kernel versions required for these additional
protection capabilities, Traps will operate in asynchronous mode
Continuous event monitoring required
for Behavioral Threat Protection is disabled.
Sharing endpoint activity data with Cortex apps is disabled.
ELF file examination occurs in parallel with the file execution.
If the Traps agent obtains a malware verdict for the ELF file, it
terminates the file execution. Security events for malware in asynchronous
mode are assigned a high severity due to the potential for continued
execution during the verdict request while security events in synchronous
mode are medium severity.
All other exploit and malware protection is enabled per your
Linux security policy.