Traps Endpoint Security Manager Known Issues
Known issues with the Traps Endpoint Security Manager and Traps agent 4.2.
The following table includes known issues in Traps Endpoint Security Manager and Traps agent in the 4.2 release.
When you disable the option to
Collect new process informationin an Agent Settings rule for Mac endpoints, Traps continues to collect and report process information.
When you try to export a filtered list of security events from the ESM Console, the ESM Console generates a comma separated values (CSV) file containing no content.
When you install Traps for Linux, the ESM reports the agent version using an older format resulting in a mismatch between the reported and actual agent version.
When you disable the option to
Collect new processesTraps continues to send process statistics to the Endpoint Security Manager.
When you export agent logs from the ESM Console, the CSV file displays the wrong time for each log.
When a security event occurs on Windows Server 2012 R2 or Windows Server 2016, Traps reports the OS version of the endpoint incorrectly.
With role-based access control, if you add a new user for an organizational unit but later change the user, the ESM Console clears the Directory Path on the
When McAfee is installed on Windows XP or Windows Server 2003, enabling Agent Tampering Protection for processes causes the operating system to halt abruptly.
After you install ESM 188.8.131.52637, if you remove an administrative hash override for an unknown file, the verdict may not revert to the initial verdict. For example, if you remove a hash override which set a benign verdict for the file, Traps may continue to allow the file instead of relying on the local analysis verdict.
Workaround: To apply the intended verdict, create a new hash override. For example, if you cleared a verdict which set a malware verdict, configure a new hash override to
Treat as Benign.
When you upgrade the Traps agent on the endpoint using the Windows installer, the installer permits you to change the name of the ESM Server and does not display an error. After the name change, the Cyvera service crashes.
Workaround: Leave the original ESM Server name when upgrading the Traps agent. If you already changed the name, you must uninstall and reinstall the Traps agent with the correct name.
When you upgrade the Traps Endpoint Security Manager to release 4.2.1, the internal and external addresses in the Multi-ESM settings reset to default auto-detected values.
Workaround: Take note of ESM values before you upgrade to ESM 4.2.1 and reconfigure the settings following an upgrade.
If you attempt to uninstall Traps but have administrative privileges only through fully enabled User Account Control (UAC), the uninstall is unsuccessful. This is because the uninstaller does not evaluate UAC access when it performs a self-security validation step to ensure the uninstall command was initiated by an administrator with the necessary permissions.
When you disable WildFire examination of unknown files but enable Traps to Collect New Process Info, Traps fails to collect and send information about new processes to the ESM Server.
If more than one openssl RPM package is installed on a Linux server, Traps fails to install.
Workaround: Remove any extra openssl packages and then install Traps.
When you clone a child process protection rule and remove the list of child processes, the ESM Console retains any command-line arguments specified for the child processes.
Workaround: Manually remove any command-line arguments from the rule.
In the details view of a child process protection rule, the Restricted List Module details are truncated.
Workaround: Edit the rule to see the full details for Restricted List.
When you generate a Tech Support File from the ESM Console, the file can exclude some log files.
When the ESM Server is running on the same host as IIS (where the virtual folder is defined for forensic files), the ESM Server fails to download files from the IIS virtual folder.
When you access the ESM Console on the same server where IIS is running, the ESM Console is not displayed correctly.
When you define an uninstall password from the ESM Console, the ESM Console ignores the definition and retains the default password of
On the ESM Console Dashboard, the agent version extends beyond the width of the chart.
Traps evaluates the blacklisted processes before any restricted child processes. As a result, Traps can block child processes that are expressly allowed in the child process protection rules for a single source process. This is due to the way Traps merges child process protection rules.
When you clone a default rule and then add additional components (processes), Traps fails to receive the changes to the default rule.
On Windows XP and Windows Server 2003 endpoints with .NET 3.5, the Traps service fails to start when the machine.config file is missing or incorrectly configured.
When the IP address of the Endpoint Security Manager (ESM) is changed while the ESM service is running, the new IP address is not updated in the ESM database and Traps agents cannot connect to the ESM.
Workaround:Restart the ESM service or update the
External Addressthrough the web interface (
If you try to add a trusted signer while the SQL service is down, you receive a
Fail to insert trusted signererror. Although this occurs, the ESM successfully adds the signer to the database when the service is restored.
On endpoints running Windows 10 Insider Preview, the Windows Defender Security Center displays Virus & threat protection as Unknown and displays Status unavailable for Traps even though Traps successfully registers with the Security Center and is available.
Workaround: Install content release version 22 or a later version to take advantage of the updated compatibility rules in the default policy.
Traps is registered as an Antivirus Protection Module and not as an Antispyware Protection Module on Japanese Windows operating systems. This causes the Action Center to indicate antivirus protection is off, even though the Traps agent is up and running.
On Windows 10 endpoints, Internet Explorer 11 halts abruptly when an exploit protection module (EPM) triggers a prevention event. This occurs due to the built-in mechanism which attempts to reopen pages which closed suddenly thus causing a prevention loop.
When Traps quarantines a file whose filename contains Unicode characters, the ESM Console incorrectly indicates the file has not been quarantined.
The DB Configuration Tool allows you to save a user who is not a local administrator on the ESM Console server because it does not validate administrative users.
Workaround: Validate that users are administrators on the ESM Console server before adding them as administrative accounts using the DB Configuration Tool.
When Service Protection is enabled and an administrator uninstalls Traps on the endpoint, some files remain in the
ProgramData\cyverafolder. In some environments, these files are owned by SYSTEM and cannot be removed by the administrative user.
Workaround: Log off and log back in before attempting to delete these files.
To create a rule for network folder restriction, the ESM Console requires you to define a network folder whitelist before it permits you to save the rule.
In an environment where a secondary ESM Console is installed on an ESM Server, the ESM Server inherits the proxy settings from the secondary console.
On Windows XP endpoints, when you click Send Support File from the Traps console, the agent fails to collect logs from the event viewer and instead sends only a partial collection of logs.
When you configure rules to use target objects that use the Windows User logon name in UPN format (User@Domain.com), the ESM Console omits these objects and displays only sAMAccount names.
Workaround: To apply a rule to a target object with a UPN account name, specify the full Active Directory distinguished name.
The BitsUpload manager fails to upload malware with a filename that contains the right-to-left override (RLO) character.
When you install Traps on a terminal server that is accessed by multiple users, user-specific rules do not work as expected. For example, in some cases, Traps fails to apply user-specific rules to the affected user. In other cases, Traps applies user-specific rules to all users on the terminal server.
Attempting to restore a file before Traps finishes retrieving relevant memory dumps causes delays in restoring the file to the original location.
In an environment with two ESM Consoles, when you attempt to generate an ESM tech support file, the ESM Console collects data only from the ESM Console on which you generated the file. As a result, the ESM tech support file does not contain any logs from the secondary console.
Traps fails to enforce local folder restrictions on endpoints that use the Japanese language version.
In an ESM deployment with multiple ESM Servers, after removing a server from the domain, the ESM Console does not update the Internal Address and continues to show the in-domain address.
Workaround: From the ESM Console (
), manually update the internal address of the ESM Server.
Because older versions of Traps did not support a grayware verdict, executable files received a benign verdict and were permitted to run. After upgrading to Traps 3.4 or later releases, the local cache retains the benign verdict for any grayware that previously ran on the endpoint. As a result, subsequent attempts to run grayware that ran previously are permitted.
On some endpoints, the CPU spikes when the Traps console is open.
The first time a user opens an executable file that is larger than 50MB (such as an installer), the launch time increases due to the evaluation of trusted signers.
After successfully installing the ESM Server or ESM Console software, the installer inconsistently logs the completion status of the installation.
When you generate an ESM Tech Support file and the ESM Console and the ESM Server are installed on the same device while service protection is enabled, some data cannot be retrieved. This is because service protection blocks access to specific folders.
When you upgrade .NET Framework in preparation for upgrading Traps and then remove the older .NET Framework version, the Traps upgrade fails.
Workaround: To avoid uninstall and upgrade issues, do not remove the older version of .NET Framework before upgrading to this version of Traps.
When you apply an action rule to an organizational unit and specify a group of machines as belonging to the organizational unit, endpoints in that group do not receive the agent rule.