Traps Endpoint Security Manager Known Issues

Known issues with the Traps Endpoint Security Manager and Traps agent 4.2.
The following table includes known issues in Traps Endpoint Security Manager and Traps agent in the 4.2 release.
Issue ID
Description
CYV-14779When you disable the option to Collect new process information in an Agent Settings rule for Mac endpoints, Traps continues to collect and report process information.
CYV-14759 When you try to export a filtered list of security events from the ESM Console, the ESM Console generates a comma separated values (CSV) file containing no content.
CYV-14701 When you install Traps for Linux, the ESM reports the agent version using an older format resulting in a mismatch between the reported and actual agent version.
CYV-14685 When you disable the option to Collect new processes Traps continues to send process statistics to the Endpoint Security Manager.
CYV-14684When you export agent logs from the ESM Console, the CSV file displays the wrong time for each log.
CYV-14672 When a security event occurs on Windows Server 2012 R2 or Windows Server 2016, Traps reports the OS version of the endpoint incorrectly.
CYV-14669 With role-based access control, if you add a new user for an organizational unit but later change the user, the ESM Console clears the Directory Path on the Users page.
CYV-14621 When McAfee is installed on Windows XP or Windows Server 2003, enabling Agent Tampering Protection for processes causes the operating system to halt abruptly.
CYV-14601
After you install ESM 4.2.2.39637, if you remove an administrative hash override for an unknown file, the verdict may not revert to the initial verdict. For example, if you remove a hash override which set a benign verdict for the file, Traps may continue to allow the file instead of relying on the local analysis verdict.
Workaround: To apply the intended verdict, create a new hash override. For example, if you cleared a verdict which set a malware verdict, configure a new hash override to Treat as Benign.
CYV-14574
When you upgrade the Traps agent on the endpoint using the Windows installer, the installer permits you to change the name of the ESM Server and does not display an error. After the name change, the Cyvera service crashes.
Workaround: Leave the original ESM Server name when upgrading the Traps agent. If you already changed the name, you must uninstall and reinstall the Traps agent with the correct name.
CYV-14457
When you upgrade the Traps Endpoint Security Manager to release 4.2.1, the internal and external addresses in the Multi-ESM settings reset to default auto-detected values.
Workaround: Take note of ESM values before you upgrade to ESM 4.2.1 and reconfigure the settings following an upgrade.
CYV-14380
If you attempt to uninstall Traps but have administrative privileges only through fully enabled User Account Control (UAC), the uninstall is unsuccessful. This is because the uninstaller does not evaluate UAC access when it performs a self-security validation step to ensure the uninstall command was initiated by an administrator with the necessary permissions.
Workarounds:
  • Execute the agent uninstall process from Add/Remove Programs with admin privileges.
  • Execute the agent uninstall using msiexec /x and supply the UNINSTALL_PASSWORD argument. For more information, see Uninstall the Traps Agent Using Msiexec. You must have the agent installer MSI to use this workaround.
CYV-14304
When you disable WildFire examination of unknown files but enable Traps to Collect New Process Info, Traps fails to collect and send information about new processes to the ESM Server.
CYV-14140
If more than one openssl RPM package is installed on a Linux server, Traps fails to install.
Workaround: Remove any extra openssl packages and then install Traps.
CYV-14137
When you clone a child process protection rule and remove the list of child processes, the ESM Console retains any command-line arguments specified for the child processes.
Workaround: Manually remove any command-line arguments from the rule.
CYV-14136
In the details view of a child process protection rule, the Restricted List Module details are truncated.
Workaround: Edit the rule to see the full details for Restricted List.
CYV-14133
When you generate a Tech Support File from the ESM Console, the file can exclude some log files.
CYV-14130
When the ESM Server is running on the same host as IIS (where the virtual folder is defined for forensic files), the ESM Server fails to download files from the IIS virtual folder.
CYV-14129
When you access the ESM Console on the same server where IIS is running, the ESM Console is not displayed correctly.
CYV-14124
When you define an uninstall password from the ESM Console, the ESM Console ignores the definition and retains the default password of Password1.
CYV-14077
On the ESM Console Dashboard, the agent version extends beyond the width of the chart.
CYV-14076
Traps evaluates the blacklisted processes before any restricted child processes. As a result, Traps can block child processes that are expressly allowed in the child process protection rules for a single source process. This is due to the way Traps merges child process protection rules.
CYV-14050
When you clone a default rule and then add additional components (processes), Traps fails to receive the changes to the default rule.
CYV-13914
On Windows XP and Windows Server 2003 endpoints with .NET 3.5, the Traps service fails to start when the machine.config file is missing or incorrectly configured.
CYV-13881
When the IP address of the Endpoint Security Manager (ESM) is changed while the ESM service is running, the new IP address is not updated in the ESM database and Traps agents cannot connect to the ESM.
Workaround: Restart the ESM service or update the External Address through the web interface (SettingsESMMulti ESM).
CYV-13879
If you try to add a trusted signer while the SQL service is down, you receive a Fail to insert trusted signer error. Although this occurs, the ESM successfully adds the signer to the database when the service is restored.
CYV-13273
On endpoints running Windows 10 Insider Preview, the Windows Defender Security Center displays Virus & threat protection as Unknown and displays Status unavailable for Traps even though Traps successfully registers with the Security Center and is available.
Workaround: Install content release version 22 or a later version to take advantage of the updated compatibility rules in the default policy.
CYV-11503
Traps is registered as an Antivirus Protection Module and not as an Antispyware Protection Module on Japanese Windows operating systems. This causes the Action Center to indicate antivirus protection is off, even though the Traps agent is up and running.
CYV-10664
On Windows 10 endpoints, Internet Explorer 11 halts abruptly when an exploit protection module (EPM) triggers a prevention event. This occurs due to the built-in mechanism which attempts to reopen pages which closed suddenly thus causing a prevention loop.
CYV-10655
When Traps quarantines a file whose filename contains Unicode characters, the ESM Console incorrectly indicates the file has not been quarantined.
CYV-9930
The DB Configuration Tool allows you to save a user who is not a local administrator on the ESM Console server because it does not validate administrative users.
Workaround: Validate that users are administrators on the ESM Console server before adding them as administrative accounts using the DB Configuration Tool.
CYV-9790
When Service Protection is enabled and an administrator uninstalls Traps on the endpoint, some files remain in the ProgramData\cyvera folder. In some environments, these files are owned by SYSTEM and cannot be removed by the administrative user.
Workaround: Log off and log back in before attempting to delete these files.
CYV-9762
To create a rule for network folder restriction, the ESM Console requires you to define a network folder whitelist before it permits you to save the rule.
CYV-9751
In an environment where a secondary ESM Console is installed on an ESM Server, the ESM Server inherits the proxy settings from the secondary console.
CYV-9723
On Windows XP endpoints, when you click Send Support File from the Traps console, the agent fails to collect logs from the event viewer and instead sends only a partial collection of logs.
CYV-9705
When you configure rules to use target objects that use the Windows User logon name in UPN format (User@Domain.com), the ESM Console omits these objects and displays only sAMAccount names.
Workaround: To apply a rule to a target object with a UPN account name, specify the full Active Directory distinguished name.
CYV-9621
The BitsUpload manager fails to upload malware with a filename that contains the right-to-left override (RLO) character.
CYV-9595
When you install Traps on a terminal server that is accessed by multiple users, user-specific rules do not work as expected. For example, in some cases, Traps fails to apply user-specific rules to the affected user. In other cases, Traps applies user-specific rules to all users on the terminal server.
CYV-9585
Attempting to restore a file before Traps finishes retrieving relevant memory dumps causes delays in restoring the file to the original location.
CYV-9538
In an environment with two ESM Consoles, when you attempt to generate an ESM tech support file, the ESM Console collects data only from the ESM Console on which you generated the file. As a result, the ESM tech support file does not contain any logs from the secondary console.
CYV-9368
Traps fails to enforce local folder restrictions on endpoints that use the Japanese language version.
CYV-9360
In an ESM deployment with multiple ESM Servers, after removing a server from the domain, the ESM Console does not update the Internal Address and continues to show the in-domain address.
Workaround: From the ESM Console (SettingsESMMulti ESM), manually update the internal address of the ESM Server.
CYV-9355
Because older versions of Traps did not support a grayware verdict, executable files received a benign verdict and were permitted to run. After upgrading to Traps 3.4 or later releases, the local cache retains the benign verdict for any grayware that previously ran on the endpoint. As a result, subsequent attempts to run grayware that ran previously are permitted.
CYV-9350
On some endpoints, the CPU spikes when the Traps console is open.
CYV-9284
The first time a user opens an executable file that is larger than 50MB (such as an installer), the launch time increases due to the evaluation of trusted signers.
CYV-9178
After successfully installing the ESM Server or ESM Console software, the installer inconsistently logs the completion status of the installation.
CYV-9007
When you generate an ESM Tech Support file and the ESM Console and the ESM Server are installed on the same device while service protection is enabled, some data cannot be retrieved. This is because service protection blocks access to specific folders.
CYV-8834
When you upgrade .NET Framework in preparation for upgrading Traps and then remove the older .NET Framework version, the Traps upgrade fails.
Workaround: To avoid uninstall and upgrade issues, do not remove the older version of .NET Framework before upgrading to this version of Traps.
CYV-8732
When you apply an action rule to an organizational unit and specify a group of machines as belonging to the organizational unit, endpoints in that group do not receive the agent rule.

Related Documentation