When a security event occurs on an endpoint, Traps freezes
the contents of the memory, and stores it in a data file known as
a memory dump. From the ESM Console you can fine-tune memory dump
settings that specify the size of the memory dump—either small,
medium, or full (the largest and most complete set of information)—and
whether Traps should automatically upload the memory dump to the
forensic folder. For more information, see Define Memory Dump Preferences.
After creating the memory dump, Traps deciphers the file and
extracts information to identify the underlying cause and to verify
the validity of the prevention. Use the results of the analysis
to diagnose and understand the event.
Depending on the type of event, Traps may also use automated
detection tools to scan for malicious behavior as described in Phase 3: Automated Detection.