Changes to Default Behavior

Review the changes to default behavior in ESM and Traps 4.2 releases.

Changes to Default Behavior in 4.2.4

The following table describes the changes to default behavior introduced in Traps Endpoint Security Manager and Traps agent 4.2.4.
FeatureChange to Default Behavior
Quarantine Network Path
(CYV-14673)
The Quarantine Network Path setting in the ESM Server Configuration that was supported in ESM 3.1 is now deprecated and is removed from the ESM Console.
SHA256 Hash Search Operator
(CYV-14772)
The operator Contains used to search for SHA256 hashes that match a partial string is now deprecated and is superseded by the new operators introduced in 4.2.4.

Changes to Default Behavior in 4.2.3

The following table describes the changes to default behavior introduced in Traps Endpoint Security Manager and Traps agent 4.2.3.
FeatureChange to Default Behavior
Shellcode Preallocation Data Collection
(CYV-14659)
When the Shellcode Preallocation exploit protection module triggers a security event, the Traps agent now collects ShellcodeInformation system calls and addresses with relevant forensics data collection.
DEP Module Advanced Setting
(CYV-14553)
The Allocated Only setting—which was available from Ninja Mode of the DEP application protection module—is now deprecated and is no longer configurable from the ESM Console.

Changes to Default Behavior in 4.2.2

The following table describes the changes to default behavior introduced in Traps Endpoint Security Manager and Traps agent 4.2.2.
FeatureChange to Default Behavior
DEP Memory Handling
(CYV-14450)
When a protected process attempts to access unallocated memory, the Traps DEP exploit protection module no longer triggers a security event (in notification mode) or captures the memory when this type of event occurs. This reduces the need for incompatibility rules required to prevent Traps from capturing data that was unusable.

Changes to Default Behavior in 4.2.1

The following table describes the changes to default behavior introduced in Traps Endpoint Security Manager and Traps agent 4.2.1.
FeatureChange to Default Behavior
Whitelists in Cloned RulesWhen you clone a rule from the default policy that contains a whitelist, you can no longer make changes to the whitelist. This protects you from inadvertently overwriting the recommended whitelist when you clone and edit a rule from default policy. Now, to make changes to a whitelist, you can configure an exception.
Child Process Exceptions in Cloned RulesWhen you upgrade to Traps ESM 4.2.1, the ESM now migrates cloned rules that contains a whitelist or blacklist to exception rules. The ESM matches parent rules containing lists (for example, blacklist or whitelist) and determines changes to the lists. The ESM then creates a single process exception rule to capture the change to the policy. For cloned rules that removed a process from a blacklist, the ESM creates a new rule which allows the removed process. For cloned rules that added a process to a blacklist, the ESM creates a new rule which blocks the added process.
child-process-rule-merge-upgrade-blacklist.png
Support File EnhancementTo assist you with hash and verdict investigation, the Traps agent now includes the local WildFire cache and log files stored in %programdata%\Cyvera\LocalSystem when it sends the Tech Support File. The WildFire cache allows you to view all hashes and verdicts that are locally stored in the agent.
Enhanced DLL WhitelistThe whitelist capabilities of the JIT and DLL security exploit protection modules (EPMs) has been enhanced in the default security policy.
Multi-ESM Setting Detection
For increased visibility, the details and edit views of the Multi-ESM settings have changed. By default, the ESM Console now automatically detects the internal and external addresses, and uses those values as placeholders.
In the expanded details view of the server, the ESM Console displays indicates the source as Autodetected for placeholder values or as ESM Settings if you configure alternate values.
multi-esm-settings-autodetect.png
In edit mode, the ESM Console shows auto-detected values in gray and edited values in regular black text.
Automated Temp File CleanupThe ESM Server and ESM Console now employ a cleanup policy to automatically purge files in the temp and forensic folders. The cleanup policy runs every 24 hours and removes files older than 30 days from the forensic folder and all files in the temp folders. This prevents outdated and unneeded files from impacting ESM functionality.

Changes to Default Behavior in 4.2.0

The following table describes the changes to default behavior introduced in Traps Endpoint Security Manager and Traps agent 4.2.0.
FeatureChange to Default Behavior
Child Process Protection rule mergingBy default, Child Process Protection rules are now merged with the default policy. If the case of rule conflicts, the user-defined child process protection rule takes precedence.
Enhanced Content UpdatesTo align the content structure between the different management servers, the Endpoint Security Manager now supports a new content update format. To distinguish from older content updates, the Customer Support Portal now separates content updates into two sections: 3.4 to 4.1 versions and 4.2 and above. The enhanced content updates also follow a different numbering scheme. To determine the minimum supported content update version, see Associated Software and Content Versions.
ConditionsSome conditions in the default security policy are now defined in the new content structure using APIs. With this change, the ESM Console displays non-API definitions as N/A in the additional details view of the condition.

Related Documentation