Use Traps Agent
Use the Traps console to view the agent status, initiate a connection to the server, view and send logs, view security events that occurred on the endpoint, and change the display language of the Traps console.
Traps™ agent 5.0 installs in the
C:\Program Files (x86)\Palo Alto Networks\Trapsfolder. If you enabled access to the console, the Traps console is also accessible from the notification area (system tray).
Use the following topics to use and mange the Traps agent for Windows:
- Open the Traps application.The console displays active and inactive features by displaying a or to the left of the feature type. Select theAdvancedtab to display additional tabs along the top of the console. The tabs allow you to navigate to pages that display additional details about security events, protected processes, and updates to the security policy. Usually, an end user will not need to run the Traps Console, but the information can be useful when investigating a security-related event. You can choose to hide the tray icon that launches the console, or prevent its launch altogether.Use one of the following methods:
- Browse toC:\Program Files\Palo Alto Networks\Trapsand run the CyveraConsole.exe application.
- If you enabled access to Traps from the notification area, double-click the Traps icon () to launch the agent interface.
- View status information about the Traps agent:
- Advanced Endpoint Protection—Displays the overall protection status of the endpoint as enabled if one or more protection features are enabled, or disabled if no protection features are enabled.
- Anti-Exploit Protection—Indicates whether or not exploit prevention rules are active in the endpoint security policy.
- Anti-Malware Protection—Indicates whether restriction or malware protection modules are enabled in the endpoint security policy.
- Version—Displays the Traps agent version.
- Connection—Displays the connection status and, if connected, includes the server to which the agent is connected.
- Last Check-in—Displays the local time on the endpoint of the last check-in with the server.
- Manually connect to the server.The Traps agent periodically communicates with the server to send status information and retrieve the latest security policy. The Traps agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can try to manually connect. This option is available if you do not want to wait for the automated communication interval to become active.To initiate a manual check-in with the server,Check In Nowfrom the home page of the Traps console. If the agent successfully establishes a connection with the server, the Connection status changes to Connected.
- View and send logs.
- View logs—Open Log Fileto view logs generated by the Traps agent. The logs display in your default text editor in chronological order with the most recent logs at the bottom.
- Send logs—Send Support Fileto collect Traps logs and send them to the Traps management service. The logs help you to analyze any recent security events and Traps issues that you encounter.
- View recent security events that occurred on your endpoint.
- ClickAdvanced, if necessary, to display additional actions that you can perform from the Traps console.
- ClickEvents.For each event, the Traps console displays the localTimethat an event occurred, the name of theProcessthat exhibited malicious behavior, theModulethat triggered the event, and the mode specified for that type of event (Termination or Notification).
- Change the display language for the Traps console.The Traps console is localized in the following languages: English, German, French, Spanish, Chinese (traditional and simplified), and Japanese.
- Advanced, if necessary, to display additional actions that you can perform from the Traps console.
- Select the display language for Traps (default is English).
- Configure proxy communication.You can use Traps with both user and system proxy configurations. To determine the proxy configuration of an endpoint, the Traps agents use the operating system APIs.While there are no specific proxy requirements for Traps, refer to the following recommendations when you set up your proxy: To enable proxy communication as soon as the endpoint boots and before the user logs on, configure system-wide proxy settings using WinHTTP. This method is preferred over user proxy configurations—using WinINET settings or proxy auto-config (PAC) files—because Traps can begin protecting the endpoint as soon as the endpoint boots and can continue protecting the endpoint after the user logs off.To define a system proxy in a Windows environment, use thenetshcommand from a command prompt:netsh winhttp set proxy proxy-server="<protocol>=<proxyserver>:<port>"where:
With Traps 5.0.1 and later releases, you can configure Windows to use an unsecure or secure proxy server or you can specify both. With Traps 5.0.0, you must specify both an unsecure and secure proxy server. You can define the same proxy server for unsecure and secure proxy communication or you can define different proxy servers.For example, to use different proxy servers for unsecure and secure proxy communication:netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8181"You can also specify the same server and same port for both unsecure and secure proxy communication.There are three options for this command: You can run the command manually (in a command-prompt as an administrator), you can specify the command in a log-in script, or you can use GPO commands.
- <protocol>is either http (unsecure) or https (secure) depending on which protocol you use for proxy communication.
- <proxyserver>is the IP address or FQDN for your proxy server.
- <port>is the port number used for communication with the proxy server.