Features Introduced in Traps Endpoint Security Manager

The following topics describe the new features introduced in Traps Endpoint Security Manager (ESM) 4.1. For additional information on how to use the new features in this release, refer to the Traps Endpoint Security Manager Administrator’s Guide.

Features Introduced in Traps 4.1.5-h1

The following table describes the new features introduced in Traps Endpoint Security Manager (ESM) and Traps 4.1.5-h1.
macOS 10.14 Support
You can now install Traps on macOS 10.14. This operating system requires ESM 4.1.5 with content update 54 or a later version.
To use Traps on macOS 10.14, you must ensure you install the ESM and Traps versions before upgrading the operating system:
  1. Upgrade the ESM to 4.1.5 and install content update 54. For additional information, see Upgrade to Traps 4.1.
  2. Upgrade the Traps agent to 4.1.5-h1 using one-time action rules or the deployment method of your choice.
  3. Upgrade the Mac endpoint to macOS 10.14.
If you upgraded the operating system or Traps agent in a different order, you must uninstall and reinstall the Traps agent on the endpoint either using a third-party deployment tool such as JAMF or manually.
For complete compatibility information, see Palo Alto Networks Compatibility Matrix.

Features Introduced in Traps 4.1.5

There are no new features introduced in Traps 4.1.5.

Features Introduced in Traps 4.1.4

There are no new features introduced in Traps 4.1.4.

Features Introduced in Traps 4.1.3

New FeatureDescription
Exploit Protection Rule Configuration EnhancementWhen you configure a new exploit protection rule, you can now choose whether to merge or override (the default) advanced settings—such as whitelists, blacklists, and other text fields—with the settings defined in the default policy. Previously, new exploit protection rules would always overwrite the settings. The new List Action setting is configurable in Ninja mode.

Features Introduced in Traps 4.1.2

New FeatureDescription
Enhanced Trusted Signer EvaluationTrusted signer evaluation is now enhanced to allow Traps to take advantage of changes in trusted signer status more quickly. To do this, Traps now distinguishes highly trusted signers (currently just Microsoft) from other known signers and applies the following evaluation criteria based on the new classification: Files signed by highly trusted signers are permitted to run regardless of the WildFire® verdict. Files signed by known (but not highly trusted) signers now require WildFire evaluation of the file before Traps permits the file to run. This prevents Traps from allowing a file to run when its signature is revoked and the WildFire verdict is malware.
Windows 10 Fall Creators SupportYou can now install Traps 4.1.2 on Windows 10 Fall Creators Update 1709.
AppVolumes 2.12 SupportYou can now install Traps 4.1.2 on AppVolumes 2.12.

Features Introduced in Traps 4.1.1

New FeatureDescription
MacOS 10.13 SupportYou can now install Traps 4.1.1 and later releases on Mac endpoints running macOS 10.13.
DLL File Protection Enhancement(Windows only) For ease of configuration, the DLL Files module now supports two different rule types: one for general rule settings, and another for process-specific settings. The new rule types enable you to configure global settings which apply to all DLL files and protected DLL-loading processes separately from settings which apply only to specific processes.

Features Introduced in Traps 4.1.0

New FeatureDescription
Anti-Ransomware Protection(Windows only) In addition to analyzing ransomware behavior before execution, Traps can now prevent encryption-based ransomware attacks on your endpoints by analyzing ransomware’s run-time encryption activity. With a ransomware attack, the attacker typically encrypts important data and holds it hostage until the user pays a ransom to unlock the data. The new Anti-Ransomware malware protection module (MPM) is designed to detect the initial encryption activity and prevent the ransomware from encrypting any additional files. To allow legitimate processes—such as disk encryption products—to encrypt files, you can disable the module on a per-process basis.
DLL File Protection(Windows only) Traps now extends its malware protection capabilities to prevent DLL-loading processes from loading malicious DLL files on your endpoints. Like the existing WildFire modules which protect the endpoint from running malicious executable files and macros, the new DLL files examination module enables Traps to leverage both local analysis and WildFire threat intelligence to analyze and identify the nature of a DLL. When a DLL is unknown to WildFire, the Endpoint Security Manager can also submit the file to WildFire for in-depth inspection and analysis.
Local Analysis Support on Mac EndpointsTraps now extends the local analysis capability to Mac endpoints. Local analysis enables Traps to compare unknown files against known malware and classify files which hold similar characteristics as malware on the endpoint. With this feature, Traps quickly analyzes unknown files on Mac endpoints and assigns a local verdict (malicious or benign) when the endpoint is offline or waiting for an official verdict from WildFire. Traps continues to use the local verdict until the agent receives an updated verdict from the ESM Server.
Child Process Protection Enhancement(Windows only) Traps can now evaluate the command line execution of a process as criteria for blocking or allowing a process to run from a protected parent process. This enables Palo Alto Networks to fine-tune the child process protection module settings and sharpen the accuracy when preventing malicious child processes from running on your endpoints. For example, instead of configuring a default rule to always block Powershell when launched by Microsoft Word, Palo Alto Networks can now include match criteria in the default rule settings to block Powershell only when the process attempts to run a script from a specific path.
Kernel APC Protection(Windows only) The new Kernel APC Protection module prevents attacks which leverage the kernel to load and run malicious shellcode. With this technique, the attacker changes the execution order of a legitimate procedure by redirecting an asynchronous procedure call (APC) to execute shellcode the attacker loaded in memory. When a procedure attempts to access shellcode in an unmapped memory location, Traps blocks access to the shellcode without harming or blocking the legitimate process. By default, the Kernel APC Protection module protects the Local Security Authority Subsystem Service (lsass.exe).
Automated Content UpdatesThe Endpoint Security Manager (ESM) can now automatically obtain and distribute the latest content updates to your Traps agents. This reduces the manual effort required to identify when new content updates are available and ensures your Traps infrastructure stays up-to-date with the latest default security policy published by Palo Alto Networks. For increased flexibility you can choose to allow the ESM to check for content updates daily and display when a new one is available or you can allow the ESM to install the content update automatically.

Related Documentation