Manage Data Collected by Traps
To manage data collected by Traps, you can configure an action rule that runs only one time on the endpoint; after the Traps agent performs the action once, it will not repeat the action. To perform the same action again, Duplicate the action from the
- Create a new action rule.Selectand thenSettingsAgentActionsAdda new rule.
- Configure the tasks you want to perform on the Traps data stored on the endpoints.SelectAgent Dataand then select any of the following options to manage Traps agent data.
- Clear history—Each endpoint stores a history of security prevention events. Select this option to clear historical data files from the Traps Console.
- Erase memory dumps—Memory dumps are records of the contents of system memory when a prevention event occurs. Select this option to erase the system memory records from target objects.
- Erase quarantined files—When a security event occurs on an endpoint, Traps captures memory dumps and recent files associated with the event and stores (quarantines) them in the forensic folder on the endpoint. Select this option to delete the files associated with the security event from the target objects.
- Retrieve collected data from the agent—Traps collects security event history, memory dumps, and other information associated with a security event. Select this option to retrieve all the information saved from all events that occurred on the endpoint. After this rule runs, the Traps agent sends all the data related to the prevention event, including a memory dump of the protected process, to the designated forensic folder.
- Retrieve collected logs from the agent—Traps collects detailed application trace logs and stores information about processes and applications that run on the endpoint. Use the log file to debug an issue with an application or investigate a specific problem captured in the log. Select this option to create an action rule that retrieves all the application trace information for an endpoint. After this rule runs, the Traps agent sends all the logs to the forensic folder.
- (Optional) Add Conditions to the rule. By default, a new rule does not contain any conditions.To specify a condition, select theConditionstab, select the condition in the Conditions list, and thenAddit to the Selected Conditions list. Repeat to add more conditions as needed. To add a condition to the Conditions list, see Define Activation Conditions for a Rule.
- (Optional) Define the Target Objects to which to apply the action rule. By default, a new rule applies to all objects in your organization.To define a subset of target objects, select theObjectstab, and then enter one or moreUsers,Computers,Groups,Organizational Unit, orExisting Endpointsin the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units or identifies existing endpoints from previous communication messages.
- (Optional) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.To override the autogenerated name, select theNametab, clear theActivate automatic descriptionoption, and then enter a rule name and description of your choice.
- Save the action rule.Do either of the following:
After saving or applying a rule, you can return to theActionspage at any time toDeleteorDeactivatethe rule.
- Savethe rule without activating it. This option is only available for inactive, cloned, or new rules. When you are ready to activate the rule, select the rule from thepage and then clickSettingsAgentActionsActivate.
- Applythe rule to activate it immediately.
- Next steps...
- View the status of the rule—After creating the action rule, you can view its status from theActionspage. The status displays the number of agents that successfully completed the action and the number of agents that failed to complete the action.
- Duplicate the rule—From theActionspage, select the rule and clickDuplicate. The ESM Console uses the settings from the rule you selected to populate a new rule. You can then change the scope of the rule by applying it to different target objects or leave it as is to run it again with the same settings; Then,SaveorApplythe rule as described in the previous step.
- Retrieve data—If you created an action rule to retrieve data from the endpoint, selectto view theMonitorData RetrievalUpload Stateof all data uploads. After the Traps agent completes the data upload, this page displays the event along with a link which allows you toDownloadthe data.
Traps Action Rules
Traps Action Rules Action rules enable you to perform one-time actions on the Traps agent that runs on each endpoint. For each action rule, you ...
Define Memory Dump Preferences
Define Memory Dump Preferences When a protected process crashes or terminates abnormally, Traps records information about the event including the contents of memory locations and ...
Retrieve Data About a Security Event
Retrieve Data About a Security Event When a security event occurs on an endpoint, Traps collects forensic data including the contents of memory and stores ...
Add a New Action Rule
Add a New Action Rule For each action rule, you can specify organizational objects, conditions, and actions to take on each endpoint. Create a new ...
Set Up Traps in a VDI Environment
Set Up Traps in a VDI Environment Use the following workflow to set up Traps in a VDI environment. Review the installation considerations and prerequisites ...
Uninstall or Upgrade Traps on the Endpoint
Uninstall or Upgrade Traps on the Endpoint Create a new agent actions rule to uninstall Traps from the target objects or upgrade Traps using software ...
Update or Revoke the Traps License on the Endpoint
Update or Revoke the Traps License on the Endpoint Create a new action rule to update or revoke a license for a Traps agent on ...
Policy Rule Types
Policy Rule Types A complete endpoint security policy comprises policies that target specific methods of protection. The rules that make up each of these policies ...
Known Issues The following table describes known issues with Traps 3.4. Issue ID Description CYV-10101 After Traps quarantines malware, the operating system displays an error ...