Known Issues

The following table describes known issues with Traps 3.4.
Issue ID
After Traps quarantines malware, the operating system displays an error indicating that the quarantined file cannot be found. This issue occurs only when the current user does not have administrative rights on the endpoint.
When a malicious executable file runs from an ISO file (such as from a CD, DVD, or BD), Traps incorrectly displays a message that indicates the file is in use instead of displaying a message that indicates the ISO file is read-only and cannot be quarantined.
This issue is now resolved. See CYV-10084 in Traps 3.4.1 Addressed Issues.
If the Event Viewer service crashes on the endpoint, the Traps reporting of process crash events and subsequent malware protection is disrupted. This is due to a dependency of CyveraService on the Event Viewer service.
Workaround: Restart the CyveraService on the endpoint to resume process crash reporting and malware protection functionality.
This issue is now resolved. See CYV-10084 in Traps 3.4.1 Addressed Issues.
After you enter an invalid proxy IP address and then correct the address, the ESM Console requires you to click Save twice before the new settings take effect. If you click Save only once and later return to the page, the ESM Console reverts to the previous saved setting.
Workaround: Click Save twice after saving the valid proxy configuration.
This issue is now resolved. See CYV-10076 in Traps 3.4.1 Addressed Issues.
On endpoints whose hostnames contain Turkish characters, the Traps agent fails to upload files and logs using BITS.
The DB Configuration Tool allows you to save a user who is not a local administrator on the ESM Console server because it does not validate administrative users.
Workaround: Validate that users are administrators on the ESM Console server before adding them as administrative accounts using the DB Configuration Tool.
The ESM Console truncates usernames that contain more than 20 characters.
Workaround: Users with usernames that contain more than 20 characters must log in to the ESM Console using only the first 20 characters.
When Service Protection is enabled and an administrator uninstalls Traps on the endpoint, some files remain in the ProgramData\cyvera folder. In some environments, these files are owned by SYSTEM and cannot be removed by the administrative user.
Workaround: Log off and log back in before attempting to delete these files.
To create a rule for network folder restriction, the ESM Console requires you to define a network folder whitelist before it permits you to save the rule.
In an environment where a secondary ESM Console is installed on an ESM Server, the ESM Server inherits the proxy settings from the secondary console.
On Windows XP endpoints, when you click Send Support File from the Traps console, the agent fails to collect logs from the event viewer and instead sends only a partial collection of logs.
When you configure rules to use target objects that use the Windows User logon name in UPN format (, the ESM Console omits these objects and displays only sAMAccount names.
Workaround: To apply a rule to a target object with a UPN account name, specify the full Active Directory distinguished name.
The BitsUpload manager fails to upload malware with a filename that contains the right-to-left override (RLO) character.
When you install Traps on a terminal server that is accessed by multiple users, user-specific rules do not work as expected. For example, in some cases, Traps fails to apply user-specific rules to the affected user. In other cases, Traps applies user-specific rules to all users on the terminal server.
Attempting to restore a file before Traps finishes retrieving relevant memory dumps causes delays in restoring the file to the original location.
When you attempt to generate an ESM tech support file in an environment with two ESM Consoles, the ESM Console fails to retrieve the logs from the secondary console and does not display an error indicating the reason for the failure.
When you use Cytool to stop all runtime services, Cytool stops all runtime services except for the Traps Dump Analyzer Service.
Workaround: Use alternate methods, such as the Windows Services Console, to stop the Traps Dump Analyzer Service.
Traps fails to enforce local folder restrictions on endpoints that use the Japanese language version.
In an ESM deployment with multiple ESM Servers, after removing a server from the domain, the ESM Console does not update the Internal Address and continues to show the in-domain address.
Workaround: From the ESM Console (Settings > ESM > Multi ESM), manually update the internal address of the ESM Server.
Because older versions of Traps did not support a grayware verdict, executable files received a benign verdict and were permitted to run. After upgrading to Traps 3.4, the local cache retains the benign verdict for any grayware that previously ran on the endpoint. As a result, subsequent attempts to run grayware that ran previously are permitted.
On some endpoints, the CPU spikes when the Traps console is open.
The first time a user opens an executable file that is larger than 50MB (such as an installer), the launch time increases due to the evaluation of trusted signers.
When an exploit event occurs, some EPMs configured in Notification mode can cause Traps to display multiple notification messages about the event.
After successfully installing the ESM Server or ESM Console software, the installer inconsistently logs the completion status of the installation.
When a UASLR prevention event occurs for a process in a hidden system folder, Traps neglects to provide any notification, collect forensic data, or log the event. When a UASLR prevention event occurs on a process that is not in a protected system folder, notifications, logging, and data collection all work as expected.
This issue is now resolved. See CYV-9015 in Traps 3.4.1 Addressed Issues.
In an environment with multiple ESM Servers, changing settings in Active Directory can cause inconsistencies in policies between ESM Servers.
When you generate an ESM Tech Support file and the ESM Console and the ESM Server are installed on the same device while service protection is enabled, some data cannot be retrieved. This is because service protection blocks access to specific folders.
When you change the state of a machine from workstation to virtual desktop infrastructure (VDI), Traps continues to use a license from the workstation license pool instead of obtaining a floating VDI license.
If you configure an exploit protection rule that uses the DLL Security EPM, the Flash player crashes on 64-bit Firefox.
When you upgrade .NET Framework in preparation for upgrading Traps and then remove the older .NET Framework version, the Traps upgrade fails.
: To avoid uninstall and upgrade issues, do not remove the older version of .NET Framework before upgrading to this version of Traps.
When you apply an action rule to an organizational unit and specify a group of machines as belonging to the organizational unit, endpoints in that group do not receive the agent rule.
When adding a large number of processes as provisional processes, the policy file size increases and causes issues in transferring the policy XML files to the agents. As a result, the security policy can become out-of-date and the ESM Console can display the status of the agent running on the endpoint as disconnected.
When the Thread Injection malware protection module is enabled, installing Microsoft .NET Framework 4.5.2 raises a thread injection prevention event.
: To permit the user to install Microsoft .NET Framework 4.5.2, create a Thread Injection rule that whitelists setup.exe injection to svchost.exe. To narrow the scope of the rule, enforce conditions that target only the affected endpoints.

Related Documentation