When a protected process crashes or terminates
abnormally, Traps records information about the event including
the contents of memory locations and other data about the event
in what is known as a memory dump.
Create a forensics rule
to determine how Traps manages process-related memory dumps including
whether to send memory dumps automatically to the forensic folder
or change the size of the memory dump, either small, medium, or
full (the largest and most complete set of information).
Configure a new forensics rule.
and then click
Define memory dump preferences when a prevention event
occurs on the endpoint.
then select either of the following preferences:
Automatically send the memory dumps to the server
Send the memory dumps automatically
Specify the size of the memory dump file by selecting the
option and then selecting
from the drop-down.
Select the source processes from with Traps will collect
memory dumps, either one or more
Add Conditions to
the rule. By default, a new rule does not contain any conditions.
To specify a condition, select the
select the condition in the Conditions list, and then
to the Selected Conditions list. Repeat this step to add more conditions,
as needed. You can also define new Conditions.
To define a smaller subset of target objects, select the
and then enter one or more
in the Include or Exclude areas.
The Endpoint Security Manager queries Active Directory to verify
the users, computers, groups, or organizational units. The ESM Console
also offers autocompletion as you type for existing endpoints and
existing virtual groups.
Review the rule name and description. The ESM Console automatically
generates the rule name and description based on the rule details
but permits you to change these fields, if needed.
To override the autogenerated name, select the
Activate automatic description
and then enter a rule name and description of your choice.
Save the forensics rule.
Do either of the following:
rule without activating it. This option is only available for inactive,
cloned, or new rules. When you are ready to activate the rule, select
the rule from the
and then click
the rule to activate it immediately.
saving or applying a rule, you can return to the