Issues Addressed in Traps Endpoint Security Manager 4.2

List of addressed issues in the Traps Endpoint Security Manager 4.2.

Issues Addressed in Traps Endpoint Security Manager 4.2.5

Traps ESM 4.2.5 includes security-related improvements and addressed issues. The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.5 release.
Issue ID
Description
CYV-14838
Fixed an issue with log forwarding to email where the ESM could not send the test email when the email server was configured to not require credentials.
CYV-14836
Fixed an issue with log forwarding to email where if you did not configure SSL communication with the mail server, the ESM could not validate the certificate and could not forward logs to an email.
CYV-14834
Fixed an issue with log forwarding to email where an email server configured without SSL still presented a certificate to the ESM and, if the CA of the certificate was not installed in certificate store of the ESM, a certificate validation failure occurred.
CYV-14828
Fixed an issue that occurred when you exported security events to a comma-separated values (CSV) file where the
Target process location
value was not exported in the output.
CYV-14827
Fixed an issue on Linux endpoints where if you tried to upgrade an agent from Traps 4.2.4 to a Traps management service-supported agent, the old version was uninstalled but the new version was not installed.
CYV-14826
Fixed an issue where the Traps agent did not apply the latest ESM policy and instead retained the default policy settings.
CYV-14696
Fixed an issue where the
Save
button was not grayed out after successfully saving a Virtual Group which resulted in saving a virtual group multiple times.
CYV-14653
Fixed an issue where a cloned protected process halted suddenly when Traps was installed.

Issues Addressed in Traps Endpoint Security Manager 4.2.4

The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.4 release.
Issue ID
Description
CYV-14794
Fixed an issue on Windows endpoints where the Tlaservice failed to initialize when the system variable for %TMP% was not reachable or held an invalid path.
CYV-14782
Fixed an issue on Windows 10 endpoints where the Anti-Ransomware module caused slowness when end users opened Microsoft Office files.
CYV-14772
Fixed an issue with Hash Control queries where searching for a hash across a large database of hashes using the contains operator triggered an error on the ESM Console.
CYV-14685
Fixed an issue where Traps continued to send process statistics to the Endpoint Security Manager after you disable the option to Collect new processes.
CYV-14764
Fixed an issue with the DLL Security exploit protection module where a blacklisted DLL was allowed to execute if also specified on the Stacklist Whitelist. Now, the blacklist takes precedence so that the DLL is prevented from running.
CYV-14759
Fixed an issue where the ESM Console generated a comma-separated values (CSV) file containing no content, when you tried to export a filtered list of security events from the ESM Console.
CYV-14757
Fixed an issue on Windows 10 TH1 endpoints where the Traps agent did not register with the Microsoft Security Center which resulted in an inaccurate protection status.
CYV-14749
Fixed an issue on Linux endpoints where running commands as sudo caused Traps to report a Kernel Privilege Escalation event.
CYV-14748
Fixed an issue on Mac endpoints where the Traps agent protection status was enabled despite the agent identifying the environment as incompatible.
CYV-14740
Fixed an issue on Linux endpoints where installation of Traps failed due to a mismatch between the machine name and the name read by the installer.
CYV-14723
Fixed an issue where the Endpoint Security Manager (ESM) could not forward logs to an email when you used Opportunistic TLS (STARTTLS) protocol for secure communication.
CYV-14719
Fixed an issue with the JIT Mitigation module on Windows endpoints where Traps reported a security event for trusted executable PE files.
CYV-14718
Fixed an issue with the Shellcode Preallocation module where the Traps agent did not verify that the return address identified by the module was executable before raising a security event.
CYV-14690
Fixed an issue where Traps did not apply tampering protection to the parent directory of the Traps installation.
CYV-14687
Fixed an issue on Linux endpoints where Traps prevented a cron job from running a shell script due to a compatibility issue with glibc version 2.22.
CYV-14672
Fixed an issue on Windows Server 2012 R2 or Windows Server 2016 where Traps reported the OS version of the endpoint incorrectly when a security event occurred.
CYV-14669
Fixed an issue with role-based access control, where if you added a new user for an organizational unit but later changed the user, the ESM Console cleared the Directory Path on the
Users
page.
CYV-14668
Fixed an issue where the ESM could not retrieve Active Directory objects when the Domain Controller was configured with LDAP server signing requirements.
CYV-14656
Fixed an issue on Linux endpoints which allowed you to install, upgrade, and uninstall Traps in the
/tmp
directory. Now, during installation Traps creates a dedicated folder to contain supporting files that is removed after the installation completes.
CYV-14633
Fixed an issue where the Post Detection Processing script caused the database to fill up with old records which caused delays uploading hashes and files to WildFire.
CYV-14629
Fixed an issue where a failed content update did not revert to the original state and, as a result, caused Traps to operate in an unprotected state without a policy.
CYV-14619
Fixed an issue where the ESM raised post-detection events for endpoints with a historic (deleted) status.
CYV-14574
Fixed an issue that occurred during the upgrade of the Traps agent where if you the MSI, the installer permitted you to change the name of the ESM Server and subsequently caused the Cyvera service to crash.
CYV-14524
Fixed an issue where multiple attempts to load Traps DLLs caused failures in the process initialization flow resulting in a prevention or potentially a crash.
CYV-14304
Fixed an issue where Traps failed to collect and send information about new processes to the ESM Server when you disabled WildFire examination of unknown files but enabled Traps to Collect New Process Info.
CYV-13959
Fixed an issue with email reporting where the ESM reported the agent version as 1.0 when forwarding logs to an email.

Issues Addressed in Traps Endpoint Security Manager 4.2.3

The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.3 release.
Issue ID
Description
CYV-14737
Fixed an issue where if you tried to delete large amounts of logs (200,000 or higher) from
Data Retrieval
, the ESM Console did not remove the logs and did not display a notification.
CYV-14713
Fixed an issue where if you had over five ESM Servers and tried to create an installation package, you could not select the option to choose all servers on the
Generate Package
dialog, and could not view the full server name or view the full list for all servers.
CYV-14707
Fixed an issue where the ESM Console exhibited slow response times when using Dynamic Virtual Groups.
CYV-14702
Fixed an issue where if you created a rule based on a security event for Linux endpoints where the module was Privilege escalation protection, the ESM Console displays the rule configuration for the Windows Kernel Protection modules instead of for Linux.
CYV-14662
Fixed an issue where if the Traps agent requested verdicts for a large number of hashes (300,000 or more), the ESM database experienced high CPU usage.
CYV-14660
Fixed an issue on Windows endpoints where if you configured Restriction rules to block files in network folders, Traps allowed network files to run.
CYV-14649
Fixed an issue with 4.2.2 in deployments that use multiple ESM Servers where the ESM Console reported that all Traps agents were connected to one ESM Server instead of reporting the correct distribution across multiple ESM Servers.
CYV-14646
Fixed an issue where if log collection exceeded 10 seconds, Traps did not include some essential components in the Tech Support File.
CYV-14645
Fixed an issue that occurred during an upgrade where the ESM incorrectly migrated internal (primary) and external (secondary) ESM Server addresses in the database.
CYV-14644
Fixed an issue that occurred during an upgrade with multiple ESM Servers where the ESM correctly migrated the internal (primary) and external (secondary) addresses of the first ESM server that you upgraded but incorrectly migrated the addresses for subsequent ESM Servers.
CYV-14631
Fixed an issue on Windows 10 RS5 endpoints where if you tried to uninstall the Traps agent from either the control panel or
Settings
Apps
, the uninstall password was rejected and the software remained installed.
CYV-14627
Fixed an issue that occurred when using multiple ESM Servers where the
Generate Package
dialog that displays when you create a new installation package displayed older ESM Server addresses.
CYV-14625
Fixed an issue on Windows endpoints where if you tried to uninstall Traps, Windows does not prompt you to enter the UAC administrator password which resulted in a failure to uninstall the Traps software.
CYV-14618
Fixed an issue which caused high CPU consumption on ESM 4.2.2 when no Traps agents were sending traffic to the ESM Server.
CYV-14616
Fixed an issue with log forwarding to email where the subject for an email notification of a security event included the ESM Server name instead of the endpoint host name.
CYV-14614
Fixed an issue on endpoints using AMD processors where the endpoint could halt suddenly if the processor did not support RDRAND instructions.
CYV-14605
Fixed an issue where the sending the Tech Support File from the Traps console caused the CyveraService to halt suddenly.
CYV-14598
Fixed an issue where a user experienced delays when opening a file over the network due to Traps performing on-access scans for processes that had not changed.
CYV-14591
Fixed an issue where DBConfig halted suddenly when the tool could not connect to the database.
CYV-14590
Fixed an issue where if you rechecked a verdict from
Hash Control
, the verdict updated to Malware and is not updated until you rechecked the verdict a second time.
CYV-14586
Fixed an issue that occurred after an ESM upgrade where Traps agents running version 3.4.3 could not send heartbeat communication to the ESM Server and, as a result, did not obtain the latest security policy.
CYV-14575
Fixed an issue where Linux processes were not visible from
Process Management
in the ESM Console.
CYV-14573
Fixed an issue where Traps retained irrelevant (unmapped) records inside both DLL Security and UASLR modules, which caused Traps to incorrectly report security events.
CYV-14560
Fixed an issue where Content Updates on the ESM Console did not display any indication that the policy is up-to-date when you
Check Now
for the latest update.
CYV-14559
Fixed an issue where Content Updates on the ESM Console did not automatically refresh when you
Check Now
for updates and the ESM Console identified a new content update was available.
CYV-14558
Fixed an issue where the ESM Console did not display any explanation when a content update was unsuccessful.
CYV-14532
Fixed an issue with log forwarding to a syslog receiver where the Traps agent reported an incorrect IP address for the endpoint in heartbeat reports.
CYV-14525
Fixed an issue where if you created a virtual dynamic group based on a workgroup or domain, the ESM Console pulled in both active and historical data for endpoints that are no longer had an active Traps agent.
CYV-14512
Fixed an issue where if you tried to download files—such as agent logs—before the ESM Console fully received them from the Traps agent, the ESM Console displayed an error page due to an uncaught exception.
CYV-14380
Fixed an issue where you could not uninstall Traps despite having administrative privileges through fully enabled User Account Control (UAC). Now, the uninstaller evaluates UAC access when it performs a self-security validation step to ensure the uninstall command was initiated by an administrator with the necessary permissions.
CYV-13273
Fixed an issue on endpoints running Windows 10 Insider Preview, where the Windows Defender Security Center displayed Virus & threat protection as Unknown and displayed Status unavailable for Traps even though Traps successfully registered with the Security Center and was available.

Issues Addressed in Traps Endpoint Security Manager 4.2.2

The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.2 release.
Issue ID
Description
CYV-14601
Fixed an issue in ESM 4.2.2.39637 where if you removed a hash override for an unknown file, the Traps agent did not revert to using the original local analysis verdict.
CYV-14569
Fixed an issue on endpoints where Traps was newly installed where the ESM Server failed to send changed verdicts to Traps agents on Mac endpoints.
CYV-14561
Fixed an issue where following an upgrade to ESM 4.2, the internal address for the ESM Server reverted to the default value.
CYV-14540
Fixed an issue where the local analysis module in Traps failed to analyze apps compiled with Xcode 10 on Mac endpoints which resulted in invalid security events.
CYV-14534
Fixed an issue on Linux endpoints where 32-bit binaries with Position Independent Executables (PIE) and stripped symbols crashed upon startup.
CYV-14533
Fixed an issue where the ESM Console displayed a timed out status for a Tech Support File that had partially completed. To ensure the ESM Console does not indicated a timed out status for the entire file when some actions successfully completed, the ESM Console now provides timeouts for each action and indicates these timeouts in the logs.
CYV-14518
Fixed an issue where Traps blocked a legitimate process when an unknown process ran before Traps had finished starting services.
CYV-14514
Fixed an issue where Traps ignored the whitelists defined in exploit protection rules that used Exploit Kit Fingerprinting Protection, JIT Mitigation, DEP, and ROP Mitigation EPMs.
CYV-14505
Fixed a performance issue caused by duplicate heartbeat messages between the Traps agent and the ESM Server during the Traps initialization.
CYV-14494
Fixed an issue on Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016 where Sysprep failed and the endpoint could not finish booting when you enabled registry values protection.
CYV-14480
Fixed an issue on Linux servers where Traps blocked legitimate root processes when Kernel Privilege Escalation Protection was enabled.
CYV-14462
Fixed an issue on Windows endpoints where opening network files took an excessive amount of time to open due to forensic collection of accessed files.
CYV-14445
Fixed an issue on Windows endpoints where Cytool did not always stop Traps drivers after you used the
cytool runtime stop
command.
CYV-14441
Fixed an issue on Windows endpoints where end users could experience delays opening Excel files that contain macros from network drives.
CYV-14419
Fixed an issue on Linux servers where Traps could not identify the OS version due to missing os-release file, and could not connect to the ESM Server.
CYV-14407
Fixed an issue on the
Monitor
Agent
Logs
page where if you filtered the logs for a specific
Report Type
, selected all results, and then attempted to
Export Selected
logs, the ESM Console did not export the selected items as expected.
CYV-14399
Fixed an issue where you could not uninstall Traps with local administrative privileges.
CYV-14338
Fixed an issue in deployments with multiple ESM Servers and multiple NICs per ESM Server where the Traps agent did not received the full list of valid ESM Server addresses when the IP address for an ESM Server changed.
CYV-14159
Fixed an issue where the Traps EventReportsManager halted an action, such as sending reports, if it received a change to the reporting configuration before the action completed.

Issues Addressed in Traps Endpoint Security Manager 4.2.1-h3

There are no issues addressed in the Traps Endpoint Security Manager 4.2.1-h3 release.

Issues Addressed in Traps Endpoint Security Manager 4.2.1-h2

The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.1-h2 release.
Issue ID
Description
CYV-14510
Fixed a high memory consumption issue that was caused when Traps terminated a protected process.
CYV-14457
Fixed an upgrade issue where after upgrading an ESM to 4.2.1, the Internal/External Address fields in Multi-ESM settings reverted to default values. Now, the ESM retains any configured Multi-ESM settings following an upgrade.

Issues Addressed in Traps Endpoint Security Manager 4.2.1-h1

The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.1-h1 release.
Issue ID
Description
CYV-14455
Fixed an issue with the Kernel Escalation Privilege exploit protection module which caused high CPU consumption on Linux endpoints.

Issues Addressed in Traps Endpoint Security Manager 4.2.1

The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.1 release.
Issue ID
Description
CYV-14398
Fixed an issue that occurred during an upgrade where the ESM Server loaded all records from the Protected Processes table into memory which caused high memory and CPU consumption.
CYV-14381
Fixed an issue that caused the CyveraService process to consume up to 8GB of memory when loading the protected processes and resulted in high memory and CPU consumption at every agent heartbeat.
CYV-14377
Fixed an issue with the Traps agent, where if you attempted to
Send Support File
, the agent would disconnect from the ESM Server and had to be manually restarted using Cytool.
CYV-14372
Fixed an issue where the ESM Console reported multiple post detection events at each verdict recheck interval instead of a single post-detection event.
CYV-14364
Fixed an issue with support exceptions delivered through content updates where the agent could not retrieve rules from the ESM Server when the rule name contained a backslash (
\
) in certain positions.
CYV-14363
Fixed an issue where deleting security events from the ESM Console failed due to a missing mapping in the database.
CYV-14351
Fixed an issue where if you cleared an administrative hash override from and the ESM Console could not connect to WildFire, the verdict did not reset to the previous verdict issued by Local Analysis.
CYV-14327
Fixed an issue where the ESM Server upgrade was unsuccessful if the local user account assigned to manage the server contained spaces in the account name.
CYV-14295
Fixed an issue where exporting Security Error Logs included reports for agent and ESM logs not related to security errors.
CYV-14280
Fixed an issue where if you enabled log forwarding to an email, and performed a bulk operation from the ESM Console (such as deleting multiple rules simultaneously), the ESM logs the first operation but is unsuccessful reporting additional operations.
CYV-14245
Fixed an issue on Windows endpoints where Traps agents caused slowness opening large excel files from the network due to the hash reporting process.
CYV-14234
Fixed an issue where the ESM Console did not count agents in the Dashboard License Capacity chart due to missing data in the database.
CYV-14228
Fixed an issue where the Traps local analysis service consumed all the CPU usage on an endpoint.
CYV-14211
Fixed an issue where the ESM did not properly clone child process rules. With this fix, the ESM first matches parent rules containing lists (for example, blacklist or whitelist) and determines changes to the lists. The ESM then creates a single process exception rule to capture the change to the policy. For cloned rules that removed a process from a blacklist, the ESM creates a new rule which allows the removed process. For cloned rules that added a process to a blacklist, the ESM creates a new rule which blocks the added process.
CYV-14140
Fixed an issue on Linux endpoints, where installation was unsuccessful when multiple OpenSSL Package Manager (RPM) packages were installed.
CYV-14014
Fixed an issue where the ESM Console could not display details for some Post-Detection events.
CYV-13911
Fixed an issue where the NUM-agents_per_version query in the Tech Support File included information about deleted (Historic) endpoints.
CYV-13773
Fixed an upgrade issue where the ESM would receive multiple quarantine file notifications after you upgraded the Traps agent. This was due to a deleted registry key during the upgrade which caused the Traps service to process the quarantine event log from the beginning and retransmit all the logged events.
CYV-13506
Fixed an issue where honeypot files used to identify ransomware were shown in legitimate apps that did not need to view the files. With this fix all honeypot files associated with the Anti-Ransomware Protection module are hidden to ensure legitimate apps do not interact with the files.
CYV-13505
Fixed an issue where Traps Anti-Ransomware Protection module did not prevent suspicious activities by processes launched from known protected locations. With this fix, Palo Alto Networks can now distribute definitions for known protected locations with content updates.
CYV-13399
Fixed an issue where you could not test log forwarding to an email containing a gmail.com email address.
CYV-11491
Fixed an issue where after installing Traps on a new endpoint, Traps ignored an administrative override to block a file (and permitted the file to run) when the file was signed by a trusted signer.

Issues Addressed in Traps Endpoint Security Manager 4.2.0

The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.2.0 release.
Issue ID
Description
CYV-14137
Fixed an issue where the ESM Console retained any command-line arguments specified for the child processes when you cloned a child process protection rule and remove the list of child processes.
CYV-14136
Fixed an issue in the details view of a child process protection rule, where the Restricted List Module details are truncated.
CYV-14130
Fixed an issue where the ESM Server failed to download files from the IIS virtual folder when the ESM Server was running on the same host as IIS (where the virtual folder is defined for forensic files).
CYV-14129
Fixed an issue where if you accessed the ESM Console on the same server where IIS is running, the ESM Console was not displayed correctly.
CYV-14124
Fixed an issue where if you defined an uninstall password from the ESM Console, the ESM Console ignored the definition and retained the default password of
Password1
.
CYV-14077
Fixed an issue on the ESM Console Dashboard where the agent version extends beyond the width of the chart.
CYV-14076
Fixed an issue where Traps evaluated the blacklisted processes before any restricted child processes. Now, Traps does not block child processes that were expressly allowed in the child process protection rules for a single source process.
CYV-14050
Fixed an issue that occurred where if you cloned a default rule and then added additional components (processes), Traps failed to receive the changes to the default rule.

Related Documentation