Verdict Caches

Traps stores hashes and the corresponding Verdicts for all executable files that open on the endpoint in its local cache. The local cache is stored in the C:\ProgramData\Cyvera\LocalSystem folder on the endpoint and scales in size to accommodate the number of unique executable files opened on the endpoint. When service protection is enabled (see Manage Service Protection), the local cache is accessible only by the Traps agent and cannot be changed.
Each time an executable file attempts to run, the Traps agent performs a lookup in its local cache to determine if a verdict already exists. If known, the verdict is either the official WildFire verdict or manually set as an administrative hash control policy. Verdicts with an administrative hash control policy take precedence over any additional verdict analysis.
If the executable file is unknown in the local cache, the Traps agent then queries the ESM Server for the verdict. The Endpoint Security Manager stores verdicts for all executable files that have been opened on the endpoints across your organization in its server cache which is stored in the ESM database. When the ESM Server receives a verdict request it performs a lookup in its server cache to determine the verdict. The ESM Server responds with the verdict at the next heartbeat communication with the Traps agent that requested the verdict.
If the executable file is unknown in the server cache, the ESM Server then queries WildFire and optionally submits the file for analysis.

Related Documentation