The Traps agent can now exclude processes from examination by Traps malware protection modules. The anti-malware whitelist is maintained by Palo Alto Networks and can be updated through content updates or support exceptions.

Traps now supports macOS 10.15. For complete compatibility information, see the Palo Alto Networks Compatibility Matrix.

Upgrade the Traps agent to Traps 6.1.2 from Traps management service or using the deployment method of your choice.
Upgrade the endpoint to macOS 10.15.

In environments where Traps agents communicate with the Traps management service through a system-wide proxy, you can now set an application specific proxy for the Traps agent without affecting the communication of other applications on the endpoint. You can set, manage and disable the Traps agent proxy configuration in the Traps management service.

If your agent is communicating directly with the Traps management service, you can assign it a dedicated proxy in the
Endpoints
window. Once you choose to disable this proxy, the agent will revert back to communicating directly with Traps management service.
If your agent is not connected to Traps management service yet, you must assign the proxy IP address and port number during the Traps agent installation process on the endpoint.

To take immediate action when a security event occurs on a Mac endpoint or Linux server, you can now initiate the following response actions:

Terminate Process
—Terminate the suspicious process on the endpoint. This option is available from security events for which the action is
Report
and allows you to issue a remote request to the endpoint to terminate the process.
Quarantine
—If Traps has reported malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. Quarantine isn't enabled for security events that originated from network drives or containers.

If an event requires further investigation, you can now initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.

You can now initiate a response action to retrieve files from Windows endpoints. You can retrieve up to 20 files in a security event (and up to 200MB total), or you can retrieve a file by supplying the file path. You can also retrieve files from one or more endpoints at a time. Traps management service retains retrieved files for up to one week. To track the status of a file retrieval action, you can view the action from the

Actions Tracker

.

Traps can leverage this endpoint activity data to detect malicious causality chains. Traps management service can also share this information with Cortex apps to aid with event investigation.

Traps extends Ransomware Protection on Windows endpoints to also protect you from ransomware behavior that Traps detects in network folders. The network folders are not configurable but are determined by Palo Alto Networks threat researchers and delivered with content updates in the form of Ransomware Protection rules.

You can now install Traps on Windows 10 RS6. For complete compatibility information, see the Palo Alto Networks Compatibility Matrix

Traps can now provide continuous protection through major operating system (OS) upgrades on Mac endpoints. In compliant mode, Traps automatically but temporarily disables any features or modules affected by the OS change (such as exploit protection modules) that would cause Traps to operate in an incompatible state. In compliant mode, the agent remains active and connected to Traps management service. After Palo Alto Networks tests all features and modules on new OS, Traps management service automatically instructs the agent to activate modules or features that were previously disabled in compliant mode (taking into account the Traps security policy). If Palo Alto Networks determines a capability or feature is not compatible with the new OS, the agent can operate in compliant mode until a subsequent agent release is available for upgrade and full support of the new OS.