Issues Addressed in Traps Endpoint Security Manager 4.2
List of addressed issues in the Traps Endpoint Security Manager 4.2.
Issues Addressed in Traps Endpoint Security Manager 4.2.4
The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.4 release.
|CYV-14794||Fixed an issue on Windows endpoints where the Tlaservice failed to initialize when the system variable for %TMP% was not reachable or held an invalid path.|
|CYV-14782||Fixed an issue on Windows 10 endpoints where the Anti-Ransomware module caused slowness when end users opened Microsoft Office files.|
|CYV-14772||Fixed an issue with Hash Control queries where searching for a hash across a large database of hashes using the contains operator triggered an error on the ESM Console.|
|CYV-14685||Fixed an issue where Traps continued to send process statistics to the Endpoint Security Manager after you disable the option to Collect new processes.|
|CYV-14764||Fixed an issue with the DLL Security exploit protection module where a blacklisted DLL was allowed to execute if also specified on the Stacklist Whitelist. Now, the blacklist takes precedence so that the DLL is prevented from running.|
|CYV-14759||Fixed an issue where the ESM Console generated a comma-separated values (CSV) file containing no content, when you tried to export a filtered list of security events from the ESM Console.|
|CYV-14757||Fixed an issue on Windows 10 TH1 endpoints where the Traps agent did not register with the Microsoft Security Center which resulted in an inaccurate protection status.|
|CYV-14749||Fixed an issue on Linux endpoints where running commands as sudo caused Traps to report a Kernel Privilege Escalation event.|
|CYV-14748||Fixed an issue on Mac endpoints where the Traps agent protection status was enabled despite the agent identifying the environment as incompatible.|
|CYV-14740||Fixed an issue on Linux endpoints where installation of Traps failed due to a mismatch between the machine name and the name read by the installer.|
|CYV-14723||Fixed an issue where the Endpoint Security Manager (ESM) could not forward logs to an email when you used Opportunistic TLS (STARTTLS) protocol for secure communication.|
|CYV-14719||Fixed an issue with the JIT Mitigation module on Windows endpoints where Traps reported a security event for trusted executable PE files.|
|CYV-14718||Fixed an issue with the Shellcode Preallocation module where the Traps agent did not verify that the return address identified by the module was executable before raising a security event.|
|CYV-14690||Fixed an issue where Traps did not apply tampering protection to the parent directory of the Traps installation.|
|CYV-14687||Fixed an issue on Linux endpoints where Traps prevented a cron job from running a shell script due to a compatibility issue with glibc version 2.22.|
|CYV-14672||Fixed an issue on Windows Server 2012 R2 or Windows Server 2016 where Traps reported the OS version of the endpoint incorrectly when a security event occurred.|
|CYV-14669||Fixed an issue with role-based access control, where if you added a new user for an organizational unit but later changed the user, the ESM Console cleared the Directory Path on the Users page.|
|CYV-14668||Fixed an issue where the ESM could not retrieve Active Directory objects when the Domain Controller was configured with LDAP server signing requirements.|
|CYV-14656||Fixed an issue on Linux endpoints which allowed you to install, upgrade, and uninstall Traps in the /tmp directory. Now, during installation Traps creates a dedicated folder to contain supporting files that is removed after the installation completes.|
|CYV-14633||Fixed an issue where the Post Detection Processing script caused the database to fill up with old records which caused delays uploading hashes and files to WildFire.|
|CYV-14629||Fixed an issue where a failed content update did not revert to the original state and, as a result, caused Traps to operate in an unprotected state without a policy.|
|CYV-14619||Fixed an issue where the ESM raised post-detection events for endpoints with a historic (deleted) status.|
|CYV-14574||Fixed an issue that occurred during the upgrade of the Traps agent where if you the MSI, the installer permitted you to change the name of the ESM Server and subsequently caused the Cyvera service to crash.|
|CYV-14524||Fixed an issue where multiple attempts to load Traps DLLs caused failures in the process initialization flow resulting in a prevention or potentially a crash.|
|CYV-14304||Fixed an issue where Traps failed to collect and send information about new processes to the ESM Server when you disabled WildFire examination of unknown files but enabled Traps to Collect New Process Info.|
|CYV-13959||Fixed an issue with email reporting where the ESM reported the agent version as 1.0 when forwarding logs to an email.|
Issues Addressed in Traps Endpoint Security Manager 4.2.3
The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.3 release.
|CYV-14737||Fixed an issue where if you tried to delete large amounts of logs (200,000 or higher) from Data Retrieval, the ESM Console did not remove the logs and did not display a notification.|
|CYV-14713||Fixed an issue where if you had over five ESM Servers and tried to create an installation package, you could not select the option to choose all servers on the Generate Package dialog, and could not view the full server name or view the full list for all servers.|
|CYV-14707||Fixed an issue where the ESM Console exhibited slow response times when using Dynamic Virtual Groups.|
|CYV-14702||Fixed an issue where if you created a rule based on a security event for Linux endpoints where the module was Privilege escalation protection, the ESM Console displays the rule configuration for the Windows Kernel Protection modules instead of for Linux.|
|CYV-14662||Fixed an issue where if the Traps agent requested verdicts for a large number of hashes (300,000 or more), the ESM database experienced high CPU usage.|
|CYV-14660||Fixed an issue on Windows endpoints where if you configured Restriction rules to block files in network folders, Traps allowed network files to run.|
|CYV-14649||Fixed an issue with 4.2.2 in deployments that use multiple ESM Servers where the ESM Console reported that all Traps agents were connected to one ESM Server instead of reporting the correct distribution across multiple ESM Servers.|
|CYV-14646||Fixed an issue where if log collection exceeded 10 seconds, Traps did not include some essential components in the Tech Support File.|
|CYV-14645||Fixed an issue that occurred during an upgrade where the ESM incorrectly migrated internal (primary) and external (secondary) ESM Server addresses in the database.|
|CYV-14644||Fixed an issue that occurred during an upgrade with multiple ESM Servers where the ESM correctly migrated the internal (primary) and external (secondary) addresses of the first ESM server that you upgraded but incorrectly migrated the addresses for subsequent ESM Servers.|
|CYV-14631||Fixed an issue on Windows 10 RS5 endpoints where if you tried to uninstall the Traps agent from either the control panel or SettingsApps, the uninstall password was rejected and the software remained installed.|
|CYV-14627||Fixed an issue that occurred when using multiple ESM Servers where the Generate Package dialog that displays when you create a new installation package displayed older ESM Server addresses.|
|CYV-14625||Fixed an issue on Windows endpoints where if you tried to uninstall Traps, Windows does not prompt you to enter the UAC administrator password which resulted in a failure to uninstall the Traps software.|
|CYV-14618||Fixed an issue which caused high CPU consumption on ESM 4.2.2 when no Traps agents were sending traffic to the ESM Server.|
|CYV-14616||Fixed an issue with log forwarding to email where the subject for an email notification of a security event included the ESM Server name instead of the endpoint host name.|
|CYV-14614||Fixed an issue on endpoints using AMD processors where the endpoint could halt suddenly if the processor did not support RDRAND instructions.|
|CYV-14605||Fixed an issue where the sending the Tech Support File from the Traps console caused the CyveraService to halt suddenly.|
|CYV-14598||Fixed an issue where a user experienced delays when opening a file over the network due to Traps performing on-access scans for processes that had not changed.|
|CYV-14591||Fixed an issue where DBConfig halted suddenly when the tool could not connect to the database.|
|CYV-14590||Fixed an issue where if you rechecked a verdict from Hash Control, the verdict updated to Malware and is not updated until you rechecked the verdict a second time.|
|CYV-14586||Fixed an issue that occurred after an ESM upgrade where Traps agents running version 3.4.3 could not send heartbeat communication to the ESM Server and, as a result, did not obtain the latest security policy.|
|CYV-14575||Fixed an issue where Linux processes were not visible from Process Management in the ESM Console.|
|CYV-14573||Fixed an issue where Traps retained irrelevant (unmapped) records inside both DLL Security and UASLR modules, which caused Traps to incorrectly report security events.|
|CYV-14560||Fixed an issue where Content Updates on the ESM Console did not display any indication that the policy is up-to-date when you Check Now for the latest update.|
|CYV-14559||Fixed an issue where Content Updates on the ESM Console did not automatically refresh when you Check Now for updates and the ESM Console identified a new content update was available.|
|CYV-14558||Fixed an issue where the ESM Console did not display any explanation when a content update was unsuccessful.|
|CYV-14532||Fixed an issue with log forwarding to a syslog receiver where the Traps agent reported an incorrect IP address for the endpoint in heartbeat reports.|
|CYV-14525||Fixed an issue where if you created a virtual dynamic group based on a workgroup or domain, the ESM Console pulled in both active and historical data for endpoints that are no longer had an active Traps agent.|
|CYV-14512||Fixed an issue where if you tried to download files—such as agent logs—before the ESM Console fully received them from the Traps agent, the ESM Console displayed an error page due to an uncaught exception.|
|CYV-14380||Fixed an issue where you could not uninstall Traps despite having administrative privileges through fully enabled User Account Control (UAC). Now, the uninstaller evaluates UAC access when it performs a self-security validation step to ensure the uninstall command was initiated by an administrator with the necessary permissions.|
Fixed an issue on endpoints running Windows 10 Insider Preview, where the Windows Defender Security Center displayed Virus & threat protection as Unknown and displayed Status unavailable for Traps even though Traps successfully registered with the Security Center and was available.
Issues Addressed in Traps Endpoint Security Manager 4.2.2
The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.2 release.
|CYV-14601||Fixed an issue in ESM 22.214.171.124637 where if you removed a hash override for an unknown file, the Traps agent did not revert to using the original local analysis verdict.|
|CYV-14569||Fixed an issue on endpoints where Traps was newly installed where the ESM Server failed to send changed verdicts to Traps agents on Mac endpoints.|
|CYV-14561||Fixed an issue where following an upgrade to ESM 4.2, the internal address for the ESM Server reverted to the default value.|
|CYV-14540||Fixed an issue where the local analysis module in Traps failed to analyze apps compiled with Xcode 10 on Mac endpoints which resulted in invalid security events.|
|CYV-14534||Fixed an issue on Linux endpoints where 32-bit binaries with Position Independent Executables (PIE) and stripped symbols crashed upon startup.|
|CYV-14533||Fixed an issue where the ESM Console displayed a timed out status for a Tech Support File that had partially completed. To ensure the ESM Console does not indicated a timed out status for the entire file when some actions successfully completed, the ESM Console now provides timeouts for each action and indicates these timeouts in the logs.|
|CYV-14518||Fixed an issue where Traps blocked a legitimate process when an unknown process ran before Traps had finished starting services.|
|CYV-14514||Fixed an issue where Traps ignored the whitelists defined in exploit protection rules that used Exploit Kit Fingerprinting Protection, JIT Mitigation, DEP, and ROP Mitigation EPMs.|
|CYV-14505||Fixed a performance issue caused by duplicate heartbeat messages between the Traps agent and the ESM Server during the Traps initialization.|
|CYV-14494||Fixed an issue on Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016 where Sysprep failed and the endpoint could not finish booting when you enabled registry values protection.|
|CYV-14480||Fixed an issue on Linux servers where Traps blocked legitimate root processes when Kernel Privilege Escalation Protection was enabled.|
|CYV-14462||Fixed an issue on Windows endpoints where opening network files took an excessive amount of time to open due to forensic collection of accessed files.|
|CYV-14445||Fixed an issue on Windows endpoints where Cytool did not always stop Traps drivers after you used the cytool runtime stop command.|
|CYV-14441||Fixed an issue on Windows endpoints where end users could experience delays opening Excel files that contain macros from network drives.|
|CYV-14419||Fixed an issue on Linux servers where Traps could not identify the OS version due to missing os-release file, and could not connect to the ESM Server.|
|CYV-14407||Fixed an issue on the MonitorAgentLogs page where if you filtered the logs for a specific Report Type, selected all results, and then attempted to Export Selected logs, the ESM Console did not export the selected items as expected.|
|CYV-14399||Fixed an issue where you could not uninstall Traps with local administrative privileges.|
|CYV-14338||Fixed an issue in deployments with multiple ESM Servers and multiple NICs per ESM Server where the Traps agent did not received the full list of valid ESM Server addresses when the IP address for an ESM Server changed.|
|CYV-14159||Fixed an issue where the Traps EventReportsManager halted an action, such as sending reports, if it received a change to the reporting configuration before the action completed.|
Issues Addressed in Traps Endpoint Security Manager 4.2.1-h3
There are no issues addressed in the Traps Endpoint Security Manager 4.2.1-h3 release.
Issues Addressed in Traps Endpoint Security Manager 4.2.1-h2
The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.1-h2 release.
|Fixed a high memory consumption issue that was caused when Traps terminated a protected process.|
|Fixed an upgrade issue where after upgrading an ESM to 4.2.1, the Internal/External Address fields in Multi-ESM settings reverted to default values. Now, the ESM retains any configured Multi-ESM settings following an upgrade.|
Issues Addressed in Traps Endpoint Security Manager 4.2.1-h1
The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.1-h1 release.
|Fixed an issue with the Kernel Escalation Privilege exploit protection module which caused high CPU consumption on Linux endpoints.|
Issues Addressed in Traps Endpoint Security Manager 4.2.1
The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.1 release.
|Fixed an issue that occurred during an upgrade where the ESM Server loaded all records from the Protected Processes table into memory which caused high memory and CPU consumption.|
|Fixed an issue that caused the CyveraService process to consume up to 8GB of memory when loading the protected processes and resulted in high memory and CPU consumption at every agent heartbeat.|
|Fixed an issue with the Traps agent, where if you attempted to Send Support File, the agent would disconnect from the ESM Server and had to be manually restarted using Cytool.|
|Fixed an issue where the ESM Console reported multiple post detection events at each verdict recheck interval instead of a single post-detection event.|
|Fixed an issue with support exceptions delivered through content updates where the agent could not retrieve rules from the ESM Server when the rule name contained a backslash (\) in certain positions.|
|Fixed an issue where deleting security events from the ESM Console failed due to a missing mapping in the database.|
|Fixed an issue where if you cleared an administrative hash override from and the ESM Console could not connect to WildFire, the verdict did not reset to the previous verdict issued by Local Analysis.|
|Fixed an issue where the ESM Server upgrade was unsuccessful if the local user account assigned to manage the server contained spaces in the account name.|
|Fixed an issue where exporting Security Error Logs included reports for agent and ESM logs not related to security errors.|
|Fixed an issue where if you enabled log forwarding to an email, and performed a bulk operation from the ESM Console (such as deleting multiple rules simultaneously), the ESM logs the first operation but is unsuccessful reporting additional operations.|
|Fixed an issue on Windows endpoints where Traps agents caused slowness opening large excel files from the network due to the hash reporting process.|
|Fixed an issue where the ESM Console did not count agents in the Dashboard License Capacity chart due to missing data in the database.|
|Fixed an issue where the Traps local analysis service consumed all the CPU usage on an endpoint.|
|Fixed an issue where the ESM did not properly clone child process rules. With this fix, the ESM first matches parent rules containing lists (for example, blacklist or whitelist) and determines changes to the lists. The ESM then creates a single process exception rule to capture the change to the policy. For cloned rules that removed a process from a blacklist, the ESM creates a new rule which allows the removed process. For cloned rules that added a process to a blacklist, the ESM creates a new rule which blocks the added process.|
|Fixed an issue on Linux endpoints, where installation was unsuccessful when multiple OpenSSL Package Manager (RPM) packages were installed.|
|Fixed an issue where the ESM Console could not display details for some Post-Detection events.|
|Fixed an issue where the NUM-agents_per_version query in the Tech Support File included information about deleted (Historic) endpoints.|
|Fixed an upgrade issue where the ESM would receive multiple quarantine file notifications after you upgraded the Traps agent. This was due to a deleted registry key during the upgrade which caused the Traps service to process the quarantine event log from the beginning and retransmit all the logged events.|
|Fixed an issue where honeypot files used to identify ransomware were shown in legitimate apps that did not need to view the files. With this fix all honeypot files associated with the Anti-Ransomware Protection module are hidden to ensure legitimate apps do not interact with the files.|
|Fixed an issue where Traps Anti-Ransomware Protection module did not prevent suspicious activities by processes launched from known protected locations. With this fix, Palo Alto Networks can now distribute definitions for known protected locations with content updates.|
|Fixed an issue where you could not test log forwarding to an email containing a gmail.com email address.|
|Fixed an issue where after installing Traps on a new endpoint, Traps ignored an administrative override to block a file (and permitted the file to run) when the file was signed by a trusted signer.|
Issues Addressed in Traps Endpoint Security Manager 4.2.0
The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.0 release.
Fixed an issue where the ESM Console retained any command-line arguments specified for the child processes when you cloned a child process protection rule and remove the list of child processes.
Fixed an issue in the details view of a child process protection rule, where the Restricted List Module details are truncated.
Fixed an issue where the ESM Server failed to download files from the IIS virtual folder when the ESM Server was running on the same host as IIS (where the virtual folder is defined for forensic files).
Fixed an issue where if you accessed the ESM Console on the same server where IIS is running, the ESM Console was not displayed correctly.
Fixed an issue where if you defined an uninstall password from the ESM Console, the ESM Console ignored the definition and retained the default password of Password1.
Fixed an issue on the ESM Console Dashboard where the agent version extends beyond the width of the chart.
Fixed an issue where Traps evaluated the blacklisted processes before any restricted child processes. Now, Traps does not block child processes that were expressly allowed in the child process protection rules for a single source process.
Fixed an issue that occurred where if you cloned a default rule and then added additional components (processes), Traps failed to receive the changes to the default rule.
Traps Endpoint Security Manager Known Issues
Known issues with the Traps Endpoint Security Manager and Traps agent 4.2. ...
Troubleshooting Traps Endpoint Security Manager Troubleshooting Resources Traps and Endpoint Security Manager Processes ESM Tech Support File Database (DB) Configuration Tool Cytool Troubleshoot Traps Issues ...
VDI Installation Considerations
VDI Installation Considerations Optimize the default session policy on the VDI test pool to assure stable session spawning when the VDI is recompiled. Every new ...
Install the Traps Agent for Windows
Use the following workflows to install the Traps agent 4.2 on Windows endpoints. This topic provides options to use the MSI, Msiexec, and how to ...
Maintain the Endpoints and Traps
Maintain the Endpoints and Traps On a daily or weekly basis, perform the following actions: Examine the Dashboard to verify that the Traps agent is ...
Why do all endpoints appear as disconnected in the ESM Cons...
Why do all endpoints appear as disconnected in the ESM Console? Symptom The Health page of the ESM Console reports that all endpoints are disconnected ...
Features Introduced in Traps Endpoint Security Manager
Features Introduced in Traps Endpoint Security Manager The following topics describe the new features introduced in Traps Endpoint Security Manager (ESM) and Traps 4.2. For ...
Traps and Endpoint Security Manager Processes
Traps and Endpoint Security Manager Processes The following processes are initiated by Traps and the Endpoint Security Manager (ESM). Component Process Name Description ESM ESM ...