Verdict Caches
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Verdict Caches
Traps stores hashes and the corresponding Verdicts for
all executable files that open on the endpoint in its local
cache. The local cache is stored in the C:\ProgramData\Cyvera\LocalSystem folder
on the endpoint and scales in size to accommodate the number of
unique executable files opened on the endpoint. When service protection
is enabled (see Manage
Service Protection), the local cache is accessible only by
the Traps agent and cannot be changed.
Each time an executable file attempts to run, the Traps agent
performs a lookup in its local cache to determine if a verdict already
exists. If known, the verdict is either the official WildFire verdict
or manually set as an administrative hash control policy. Verdicts
with an administrative hash control policy take precedence over
any additional verdict analysis.
If the executable file is unknown in the local cache, the Traps
agent then queries the ESM Server for the verdict. The Endpoint
Security Manager stores verdicts for all executable files that have
been opened on the endpoints across your organization in its server
cache which is stored in the ESM database. When the ESM Server
receives a verdict request it performs a lookup in its server cache
to determine the verdict. The ESM Server responds with the verdict
at the next heartbeat communication with the Traps agent that requested
the verdict.
If the executable file is unknown in the server cache, the ESM
Server then queries WildFire and optionally submits the file for
analysis.