Install Traps Agent for Windows

Use the following workflows to install the Traps agent 5.0 on Windows endpoints. This topic provides options to use the MSI, Msiexec, and how to configure on a non-persistent VDI.
You can install Traps for Windows in any of the following scenarios:
  • Standard Traps installation—Intended for standard physical endpoints or persistent virtual endpoints. Install Traps Agent 5.0 Using the MSI or from the command-line using Msiexec.
  • Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to as spawn) from a golden image which has Traps installed. This installation ensures that each agent installed on a new spawned session retains the policy defined on the golden image, thus reducing resource use and log creation. In addition, with VDI installation, the endpoint license returns to license pool either when the user logs off or ends the VDI session, or after a shorter timeout period than a standard Traps installation, thus ensuring that licenses are consumed only by active VDI. Follow the standard installation procedures for persistent endpoints or follow the procedure to Configure the Traps Agent for Non-Persistent VDI.
  • Temporary session—(Traps 5.0.4 and later releases) Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed. After you install Traps, the Traps management service issues a license to the physical or virtual endpoint but will revoke the license after a short period of inactivity. When the machine reverts to the original state, and Traps is reinstalled, the machine receives a license again. To install Traps on a snapshot from which temporary sessions will spawn, Configure Traps for Temporary Sessions.

Install Traps Agent 5.0 Using the MSI

Use the following workflow to install the Traps agent using the MSI file.
  1. Before installing Traps™ agent 5.0 on a Windows endpoint, verify that the system meets the requirements described in Traps Agent for Windows Requirements.
  2. Download the Traps installer for Windows from the Traps management service.
    Ensure that you download the Windows installer for the Windows architecture (x64 or x86) installed on the endpoint.
  3. Run the MSI file on the endpoint.
    The installer displays a welcome dialog.
    windows-traps-install-welcome.png
  4. Click Next.
    windows-traps-install-ready.png
  5. Install the agent.
    The installer displays a User Account Control dialog.
    windows-traps-install-uac.png
  6. Click Yes.
    The installer displays a reboot notification.
    windows-traps-install-update-files.png
  7. Click OK.
  8. After you complete the installation, restart the endpoint.

Install Traps Agent 5.0 Using Msiexec

Msiexec provides full control over the installation process and allows you to install, modify, and perform operations on a Windows Installer from the command line interface (CLI). You can also use Msiexec to log any issues encountered during installation.
You can also use Msiexec in conjunction with a System Center Configuration Manager (SCCM), Altiris, Group Policy Object (GPO), or other MSI deployment software to install Traps on multiple endpoints for the first time.
When you install Traps with Msiexec, you must install Traps per-machine and not per-user.
Although Msiexec supports additional options, Traps installers support only the options listed here. For example, with Msiexec, the option to install the software in a non-standard directory is not supported—you must use the default path.
  • /i<installpath>\<installerfilename>.msi—Install a package. For example, msiexec /i c:\install\traps.msi.
  • /qn—Displays no user interface (quiet installation).
  • /L*v <logpath>\<logfilename>.txt—Log verbose output to a file. For example, /l*v c:\logs\install.txt.
  • VDI_ENABLED=1—Use to install Traps on the golden image for a non-persistent VDI. This option identifies the session as a VDI in the Traps management service and applies license and endpoint management policy specific for non-persistent VDI. To set up Traps on a golden image for non-persistent VDI, see Configure a Traps Agent in a Non-Persistent VDI.
  • TS_ENABLED=1—Use to install Traps on the golden image for a temporary session. This option identifies the session as a temporary session in the Traps management service and to apply license and endpoint management policy specific for temporary sessions. To set up Traps on a golden image for temporary sessions, see Configure Traps for Temporary Sessions.
Use the following workflow to install the Traps agent using Msiexec:
  1. Before installing Traps™ agent 5.0 on a Windows endpoint, verify that the system meets the requirements described in Traps Agent for Windows Requirements.
  2. Use one of the following methods to open a command prompt as an administrator.
    • Select StartAll ProgramsAccessories. Right-click Command prompt and Run as administrator.
    • Select Start. In the Start Search box, type cmd. Then, to open the command prompt as an administrator, press CTRL+SHIFT+ENTER.
  3. Run the msiexec command followed by one or more supported options and properties.
    For example:
    msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn
  4. After you complete the installation, restart the endpoint.

Configure a Traps Agent in a Non-Persistent VDI

In non-persistent VDI mode, each session is temporary. When a user accesses a non-persistent virtual desktop and logs out at the end of the day, none of the user’s settings or data, which includes desktop shortcuts, backgrounds, and new applications, are preserved. At the end of a session, the virtual desktop is wiped clean and reverts back to the original pristine state of the golden image. The next time the user logs in, they receive a fresh image.
In non-persistent VDI mode, the machine exhibits the following behavior:
  • Licensing—With non-persistent virtual desktops, the Traps agent receives a license from the pool of available endpoint licenses. The Traps management service automatically returns the license to the license pool when the user logs off, the agent is uninstalled, the session ends, or when the VDI is inactive (for additional information on revoking licenses, see About Licenses). Revoking the license frees it up for use by another Traps agent.
  • Connectivity—When the user logs on to the VDI machine, the Traps agent connects to the Traps management service to receive the license and to obtain the relevant updates. The Traps agent continues to communicate with the Traps management service throughout the life cycle of the VDI instance. The Traps agent only protects the machine when a user is logged in. When the user is logged out, the Traps agent disconnects from the Traps management service. During this time, Traps does not receive updated policies or verdicts and does not send heartbeat communications to the Traps management service.
  • Verdict updates—When you identify the golden image as a VDI, the Traps management service tracks all VDI machines that are spawned from the golden image. When a verdict for a file that was seen on the golden image changes in the Traps management service cache, the Traps management service sends the changed verdict to all machines that were spawned by the original VDI machine, regardless of whether these machines opened the relevant file or not.
  • Storage—In a non-persistent VDI, many VDI solutions allow you to choose either non-persistent or persistent storage. With non-persistent storage, the user settings and data are stored for the length of the session and are wiped clean when the session ends or a user logs out. With persistent storage, you can select folders or specific locations that persist after a session ends.
To ensure the Traps management service correctly identifies and treats the agent as a VDI agent, perform the following workflow on the golden image:
  1. Install any software that you plan to have on the VDI instances.
    1. On the golden image, Install Traps Using Msiexec and include the VDI_ENABLED=1 VDI flag.
      For example:
      msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn VDI_ENABLED=1
    2. Install additional required software.
  2. Scan your golden image for files and request verdicts.
    Use Cytool to scan your endpoint. We recommend this step to populate the golden image with verdicts for executable files, DLLs, and files containing macros. If you do not perform this step, the Traps agent has to evaluate each file when it attempts to run on an endpoint during each VDI session.
    1. Open a command prompt as an administrator and navigate to C:\Program Files\Palo Alto Networks\Traps.
    2. If you plan to output the scanning report to the Traps folder, you must run the cytool protect disable command to disable Traps service protection.
    3. Run the cytool imageprep scan [timeout <timeoutin hours>] [upload <upload timeout in minutes>][path <full path>] command where: the scan timeout is the number of hours you permit Cytool to run the scan (default is 4 hours), the upload timeout is the number of minutes that you permit Cytool to upload unknown files to assess the verdict (default is 95 minutes), and path is the path to the directory in which you want to output the scanning report.
      For example:
      C:\Program Files\Palo Alto Networks\Traps>cytool imageprep
      scan timeout 4 upload 60 path c:\report
      Start Time       : 17:56:46
      Elapsed Time     : 00:04:17
      State            : Running
      Scanned Files    : 5427
      Suspicious Files : 0
      Failed Files     : 9
      Volume Root Path : \\?\C:\
      Window Usage     : 0                       236                       20000
      Path             : ...t\cache2\entries\9B982CE198BF046E6CCF25478920DDFD9E5842E5
      
      Scan completed successfully
      
      Complete report can be found at: C:\report\imageprep_2018-03-06_08-59-30.xml
      If you need to install additional software after performing this step, you must re-scan the endpoint to allow the Traps agent to obtain verdicts for the new software.
    4. If you previously disabled service protection, enable it using the cytool protect enable command after the scan is complete.
    5. Review any portable executable (PE) files that WildFire® determined to be malicious.
      1. Open the scan report in Microsoft Excel or an editor of your choice.
      2. Perform one of the following actions for each malicious PE file:
        • Remove the malicious file from the golden image.
        • If you believe the WildFire verdict is incorrect, override the verdict for the PE file on the Hash Exceptions page of the Traps management service. Then perform a Check In from the Traps console on the golden image.
  3. If you later rename the golden image, you must run the cytool vdi update to update the golden image name in the registry.

Configure Traps for Temporary Sessions

To ensure the Traps management service correctly identifies and manages the agent as a temporary session, perform the following workflow to install Traps on the snapshot:
  1. Install Traps Using Msiexec and include the TS_ENABLED=1 flag.
    For example:
    msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn TS_ENABLED=1

Related Documentation