View Processes Currently Protected by Traps Using Cytool

To view processes that Traps is currently injected into, run the
enum
command using Cytool or view the Protection tab on the Traps Console (see View Processes Currently Protected by Traps). On Windows endpoints, the Traps Console and Cytool display only the processes run by the current user. To view processes run by all users and processes initiated by the operating system, specify the
/a
option. This option is not required on Mac endpoints.
Viewing protected processes run by all users requires you to enter the supervisor (uninstall) password.
  1. Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
  2. View processes initiated by the current user by entering the
    cytool enum
    command. To view processes for all users including those initiated by the operating system, specify the
    /a
    option, and enter the supervisor password when prompted.
    Windows:
    c:\Program Files\Palo Alto Networks\Traps>
    cytool /a enum
    Enter supervisor password: Process ID Agent Version 1000 3.1.1546 1468 3.1.1546 452 3.1.1546 [...]
    Mac:
    You must enable remote process calls (RPCs) before you can run this command. See Enable or Disable RPC Services.
    PANM2637HQ:bin jdoe$
    sudo ./cytool enum
    List of protected processes: Process name Process ID User Google Chrome Helper 5469 jdoe Google Chrome Helper 5473 jdoe Google Chrome Helper 5491 jdoe Photos 5599 jdoe com.apple.SafariServices 5763 jdoe com.apple.WebKit.WebContent 5783 jdoe

Related Documentation