Use the Traps VDI Tool to Configure the Master Policy
To avoid starting your VDI with a cache of unknown executable files, use the VDI Tool to request verdicts for all known PEs on your master image.
There are two versions of the VDI Tool: 32-bit and 64-bit. Use the version of VDI Tool that matches the VDI architecture.
- Before you begin...
- Use the Traps VDI Tool to obtain verdicts for all PE
files (collected in 4).The Traps VDI tool communicates with the ESM Server to request any verdicts the server has stored in its server cache. The Traps VDI tool then creates a file called WildFireCache.xml which can contain any of the following verdicts for each hash: malicious, benign, or unknown. A hash has an unknown verdict if the ESM Server has not submitted the sample to or received an updated verdict from WildFire.
- Open the Traps VDI tool.
- Configure the following settings:
- ESM server address—IP address or hostname of the ESM Server used for checking the hashes. This server must be able to connect to WildFire.
- ESM server SSL binding—Set the value to True if the server uses an SSL binding (default is False).
- Input file—Path of the comma-separated value (CSV) file that you created in 4 that contains all the hashes.
- Output file path—Enter the filename that the Traps VDI tool will use to create the WildFire cache output: WildFireCache.xml. The Traps VDI tool creates the file in the same folder as the tool unless you changed the path here.
- ESM server port—Port number for the ESM server (default is 2125).
- Hash bulk size—Hashes will be reported to the server in fragments of this size (default is 300; range is 1 to 500).
- Tool timeout in hours—Time in hours to wait for the Traps VDI tool to finish obtaining verdicts. If the Traps VDI tool exceeds the timeout, it stops generating the WildFire cache (default is 24 hours).
- Wait for WildFire verdicts—Select False to skip uploading unknown hashes and creating the cache file.
- WildFire verdicts check interval—Time in minutes between inquiries to check for new verdicts (default is 10).
- Write malware to cache—Select True to write malware verdicts to the cache file (default is False).
- Click Start.The Traps VDI tool uses the results of the verdict lookup to create the WildFireCache.xml file.
- Wait two hours for the ESM Server to query WildFire for any unknown verdicts and then proceed to the next step. During this time, the ESM Server populates the server cache with any verdicts for hashes WildFire has previously analyzed.
- Submit any remaining unknown executable files for analysis.
The Traps VDI tool uploads the files to the ESM Server which then
sends the files to WildFire for inspection. After the ESM Server
submits the samples, the server queries WildFire every 10 minutes
for updated verdicts.
- Open the Traps VDI tool.
- Change the Wait for WildFire verdicts setting to True. This setting enables the Traps VDI tool to send any remaining unknown executable files and wait for the WildFire verdict.
- Click Start.After the verdict lookup is complete, the Traps VDI tool recreates the XML file containing the hashes and their verdicts.
- Review any PE files that WildFire determined to be malicious.
- Open the Malware text file created by the Traps VDI tool. This file contains the list of hashes for which WildFire returned a malicious verdict.
- Perform one of the following actions for each malicious
- Remove the malicious PE file from the master image.
- If you believe the WildFire verdict is incorrect, override the verdict for the PE file on the Hash Control page of the ESM Console and change the verdict to benign in the WildFireCache.xml.
- Terminate the agent service and drivers using Cytool.
- Replace the WildFire cache with the file generated by
the Traps VDI tool.
- Locate the WildFire cache file generated by the Traps VDI tool. The file is located in the path that you specified in the Output file path field.
- Replace WildFireCache.xml file with the new file in %ProgramData%\Cyvera\LocalSystem\.
- Use the Traps VDI tool to identify the master image as
a VDI instance.
The tool identifies the machine in the Windows registry as a VDI instance.
- Open the Traps VDI tool.
- Click the Menu in the top left corner and select Mark as VDI.
- Enter the Traps uninstall password and click Mark as VDI.
- Ensure the ESM Server can access WildFire.From the ESM Server, open a browser to the following address: https://wildfire.paloaltonetworks.com.
Traps VDI Tool CLI
Traps VDI Tool CLI The Traps VDI Tool requests verdicts for all the PE files detected on the master image and outputs the verdicts to ...
Configure the Master Policy
Configure the Master Policy To configure the policy for the master image, first collect all portable executable (PE) files using the Windows Sysinternals utility called ...
Prerequisites for Configuring the Master Policy
Prerequisites for Configuring the Master Policy Use the following workflow to prepare the master image. Install any software that you plan to have on the ...
Features Introduced in Traps 3.4
Features Introduced in Traps 3.4 Features Introduced in Traps 3.4.3 Features Introduced in Traps 3.4.2 Features Introduced in Traps 3.4.1 Features Introduced in Traps 3.4.0 ...
Verdict Caches Traps stores hashes and the corresponding Verdicts for all executable files that open on the endpoint in its local cache . The local ...
WildFire Integration WildFire is the Palo Alto Networks sandbox solution for analyzing unfamiliar files—including unknown executable files. WildFire contains verdicts for all scrutinized files: benign ...
Phase 1: Evaluation of Hash Verdicts
Phase 1: Evaluation of Hash Verdicts When WildFire is enabled (see Set Up the ESM to Communicate with WildFire ), Traps calculates a unique hash ...
Local Analysis of Unknown Executable Files
Local Analysis of Unknown Executable Files Traps™ now uses local analysis to examine hundreds of characteristics associated with an unknown executable file to determine if ...
Manage Hashes for Executable Files
Manage Hashes for Executable Files When WildFire integration is enabled, Traps calculates a unique hash using the SHA-256 algorithm for executable files run on an ...