Use Traps Agent for Windows

Use the Traps console to view the agent status, initiate a connection to the server, view and send logs, view security events that occurred on the endpoint, and change the display language of the Traps console.
Traps™ agent 5.0 installs in the
C:\Program Files (x86)\Palo Alto Networks\Traps
folder. If you enabled access to the console, the Traps console is also accessible from the notification area (system tray).
Use the following topics to use and mange the Traps agent for Windows:
  • Open the Traps application.
    The console displays active and inactive features by displaying a 3.1-active-icon.png or icon-inactive.png to the left of the feature type. Select the
    Advanced
    tab to display additional tabs along the top of the console. The tabs allow you to navigate to pages that display additional details about security events, protected processes, and updates to the security policy. Usually, an end user will not need to run the Traps Console, but the information can be useful when investigating a security-related event. You can choose to hide the tray icon that launches the console, or prevent its launch altogether.
    Use one of the following methods:
    • Browse to
      C:\Program Files\Palo Alto Networks\Traps
      and run the CyveraConsole.exe application.
    • If you enabled access to Traps from the notification area, double-click the Traps icon (
      icon-traps.png
      ) to launch the agent interface.
  • View status information about the Traps agent:
    traps-console-main.png
    • Advanced Endpoint Protection
      —Displays the overall protection status of the endpoint as enabled if one or more protection features are enabled, or disabled if no protection features are enabled.
      • Anti-Exploit Protection
        —Indicates whether or not exploit prevention rules are active in the endpoint security policy.
      • Anti-Malware Protection
        —Indicates whether restriction or malware protection modules are enabled in the endpoint security policy.
    • Version
      —Displays the Traps agent version.
    • Connection
      —Displays the connection status and, if connected, includes the server to which the agent is connected.
    • Last Check-in
      —Displays the local time on the endpoint of the last check-in with the server.
  • Manually connect to the server.
    The Traps agent periodically communicates with the server to send status information and retrieve the latest security policy. The Traps agent performs this operation transparently at regular intervals so it is not typically necessary to connect to the server manually. If your Connection status is Not Connected, you can try to manually connect. This option is available if you do not want to wait for the automated communication interval to become active.
    To initiate a manual check-in with the server,
    Check In Now
    from the home page of the Traps console. If the agent successfully establishes a connection with the server, the Connection status changes to Connected.
  • View and send logs.
    • View logs
      Open Log File
      to view logs generated by the Traps agent. The logs display in your default text editor in chronological order with the most recent logs at the bottom.
    • Send logs
      Send Support File
      to collect Traps logs and send them to the Traps management service. The logs help you to analyze any recent security events and Traps issues that you encounter.
  • View recent security events that occurred on your endpoint.
    traps-console-windows-events.png
    1. Click
      Advanced
      , if necessary, to display additional actions that you can perform from the Traps console.
    2. Click
      Events
      .
      For each event, the Traps console displays the local
      Time
      that an event occurred, the name of the
      Process
      that exhibited malicious behavior, the
      Module
      that triggered the event, and the mode specified for that type of event (Termination or Notification).
  • Change the display language for the Traps console.
    The Traps console is localized in the following languages: English, German, French, Spanish, Chinese (traditional and simplified), and Japanese.
    1. Click
      Advanced
      , if necessary, to display additional actions that you can perform from the Traps console.
    2. Click
      Settings
      .
    3. Select the display language for Traps (default is English).
      traps-console-windows-settings.png
  • Configure proxy communication.
    You can use Traps with both user and system proxy configurations. To determine the proxy configuration of an endpoint, the Traps agents use the operating system APIs.
    While there are no specific proxy requirements for Traps, refer to the following recommendations when you set up your proxy: To enable proxy communication as soon as the endpoint boots and before the user logs on, configure system-wide proxy settings using WinHTTP. This method is preferred over user proxy configurations—using WinINET settings or proxy auto-config (PAC) files—because Traps can begin protecting the endpoint as soon as the endpoint boots and can continue protecting the endpoint after the user logs off.
    To define a system proxy in a Windows environment, use the
    netsh
    command from a command prompt:
    netsh winhttp set proxy proxy-server="
    <protocol>
    =
    <proxyserver>
    :
    <port>
    "
    where:
    • <protocol>
      is either http (unsecure) or https (secure) depending on which protocol you use for proxy communication.
    • <proxyserver>
      is the IP address or FQDN for your proxy server.
    • <port>
      is the port number used for communication with the proxy server.
    With Traps 5.0.1 and later releases, you can configure Windows to use an unsecure or secure proxy server or you can specify both. With Traps 5.0.0, you must specify both an unsecure and secure proxy server. You can define the same proxy server for unsecure and secure proxy communication or you can define different proxy servers.
    For example, to use different proxy servers for unsecure and secure proxy communication:
    netsh winhttp set proxy proxy-server="http=myproxy:8080;https=sproxy:8181"
    You can also specify the same server and same port for both unsecure and secure proxy communication.
    There are three options for this command: You can run the command manually (in a command-prompt as an administrator), you can specify the command in a log-in script, or you can use GPO commands.

Related Documentation