Agent for Windows
Use the following workflows to install the Traps agent 6.0 on Windows endpoints. This topic provides options to use the MSI, Msiexec, and how to configure on a non-persistent VDI.
You can install Traps for Windows in any of the following scenarios:
- Virtual desktop infrastructure (VDI) installation—Intended for non-persistent endpoints that replicate (also referred to asspawn) from a golden image which has Traps installed. This installation ensures that each agent installed on a new spawned session retains the policy defined on the golden image, thus reducing resource use and log creation. In addition, with VDI installation, the endpoint license returns to license pool either when the user logs off or ends the VDI session, or after a shorter timeout period than a standard Traps installation, thus ensuring that licenses are consumed only by active VDI. Follow the standard installation procedures for persistent endpoints or follow the procedure to Configure the Traps Agent for Non-Persistent VDI.
- Temporary session—Intended for either physical or virtual endpoints (such as a Remote Desktop Server) that repeatedly revert to a snapshot (or image) on which Traps is not installed. After you install Traps, Traps management service issues a license to the physical or virtual endpoint but will revoke the license after a short period of inactivity. When the machine reverts to the original state, and Traps is reinstalled, the machine receives a license again. To install Traps on a snapshot from which temporary sessions will spawn, Configure Traps for Temporary Sessions.
Install Traps Agent 6.0 Using the MSI
Use the following workflow to install the Traps agent using the MSI file.
- Download the Traps installer for Windows from the Traps management service.Ensure that you download the Windows installer for the Windows architecture (x64 or x86) installed on the endpoint.
- Run the MSI file on the endpoint.The installer displays a welcome dialog.
- Installthe agent.The installer displays a User Account Control dialog.
- ClickYes.The installer displays a reboot notification.
- After you complete the installation, restart the endpoint.
Install Traps Agent 6.0 Using Msiexec
Msiexec provides full control over the installation process and allows you to install, modify, and perform operations on a Windows Installer from the command line interface (CLI). You can also use Msiexec to log any issues encountered during installation.
You can also use Msiexec in conjunction with a System Center Configuration Manager (SCCM), Altiris, Group Policy Object (GPO), or other MSI deployment software to install Traps on multiple endpoints for the first time.
When you install Traps with Msiexec, you must install Traps per-machine and not per-user.
Although Msiexec supports additional options, Traps installers support only the options listed here. For example, with Msiexec, the option to install the software in a non-standard directory is not supported—you must use the default path.
- /i<installpath>\<installerfilename>.msi—Install a package. For example,msiexec /i c:\install\traps.msi.
- /qn—Displays no user interface (quiet installation).
- /L*v <logpath>\<logfilename>.txt—Log verbose output to a file. For example,/l*v c:\logs\install.txt.
- VDI_ENABLED=1—Use to install Traps on the golden image for a non-persistent VDI. This option identifies the session as a VDI in Traps management service and applies license and endpoint management policy specific for non-persistent VDI. To set up Traps on a golden image for non-persistent VDI, see Configure a Traps Agent in a Non-Persistent VDI.
- TS_ENABLED=1—Use to install Traps on the golden image for a temporary session. This option identifies the session as a temporary session in Traps management service and to apply license and endpoint management policy specific for temporary sessions. To set up Traps on a golden image for temporary sessions, see Configure Traps for Temporary Sessions.
To install Traps using Msiexec:
- Use one of the following methods to open a command prompt as an administrator.
- Select. Right-clickStartAll ProgramsAccessoriesCommand promptandRun as administrator.
- SelectStart. In theStart Searchbox, typecmd. Then, to open the command prompt as an administrator, pressCTRL+SHIFT+ENTER.
- Run themsiexeccommand followed by one or more supported options and properties.For example:msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn
- After you complete the installation, restart the endpoint.
Configure a Traps Agent in a Non-Persistent VDI
In non-persistent VDI mode, each session is temporary. When a user accesses a non-persistent virtual desktop and logs out at the end of the day, none of the user’s settings or data, which includes desktop shortcuts, backgrounds, and new applications, are preserved. At the end of a session, the virtual desktop is wiped clean and reverts back to the original pristine state of the golden image. The next time the user logs in, they receive a fresh image.
In non-persistent VDI mode, the machine exhibits the following behavior:
- Licensing—With non-persistent virtual desktops, the Traps agent receives a license from the pool of available endpoint licenses. Traps management service automatically returns the license to the license pool when the user logs off, the agent is uninstalled, the session ends, or when the VDI is inactive (for additional information on revoking licenses, see About Licenses). Revoking the license frees it up for use by another Traps agent.
- Connectivity—When the user logs on to the VDI machine, the Traps agent connects to Traps management service to receive the license and to obtain the relevant updates. The Traps agent continues to communicate with Traps management service throughout the life cycle of the VDI instance. The Traps agent only protects the machine when a user is logged in. When the user is logged out, the Traps agent disconnects from Traps management service. During this time, Traps does not receive updated policies or verdicts and does not send heartbeat communications to the Traps management service.
- Verdict updates—When you identify the golden image as a VDI, Traps management service tracks all VDI machines that are spawned from the golden image. When a verdict for a file that was seen on the golden image changes in Traps management service cache, Traps management service sends the changed verdict to all machines that were spawned by the original VDI machine, regardless of whether these machines opened the relevant file or not.
- Storage—In a non-persistent VDI, many VDI solutions allow you to choose either non-persistent or persistent storage. With non-persistent storage, the user settings and data are stored for the length of the session and are wiped clean when the session ends or a user logs out. With persistent storage, you can select folders or specific locations that persist after a session ends.
To ensure Traps management service correctly identifies and treats the agent as a VDI agent, perform the following workflow on the golden image:
- Install any software that you plan to have on the VDI instances.
- On the golden image, Install Traps Using Msiexec and include theVDI_ENABLED=1VDI flag.For example:msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn VDI_ENABLED=1
- Install additional required software.
- Scan your golden image for files and request verdicts.Use Cytool to scan your endpoint. We recommend this step to populate the golden image with verdicts for executable files, DLLs, and files containing macros. If you do not perform this step, the Traps agent has to evaluate each file when it attempts to run on an endpoint during each VDI session.
- Open a command prompt as an administrator and navigate toC:\Program Files\Palo Alto Networks\Traps.
- If you plan to output the scanning report to the Traps folder, you must run thecytool protect disablecommand to disable Traps service protection.
- Run thecytool imageprep scan [timeoutcommand where: the scan timeout is the number of hours you permit Cytool to run the scan (default is 4 hours), the upload timeout is the number of minutes that you permit Cytool to upload unknown files to assess the verdict (default is 95 minutes), and path is the path to the directory in which you want to output the scanning report.<timeoutin hours>] [upload<upload timeout in minutes>][path<full path>]For example:C:\Program Files\Palo Alto Networks\Traps>cytool imageprep scan timeout 4 upload 60 path c:\reportStart Time : 17:56:46 Elapsed Time : 00:04:17 State : Running Scanned Files : 5427 Suspicious Files : 0 Failed Files : 9 Volume Root Path : \\?\C:\ Window Usage : 0 236 20000 Path : ...t\cache2\entries\9B982CE198BF046E6CCF25478920DDFD9E5842E5 Scan completed successfully Complete report can be found at: C:\report\imageprep_2018-03-06_08-59-30.xmlIf you need to install additional software after performing this step, you must re-scan the endpoint to allow the Traps agent to obtain verdicts for the new software.
- If you previously disabled service protection, enable it using thecytool protect enablecommand after the scan is complete.
- Review any portable executable (PE) files that WildFire®determined to be malicious.
- Open the scan report in Microsoft Excel or an editor of your choice.
- Perform one of the following actions for each malicious PE file:
- Remove the malicious file from the golden image.
- If you believe the WildFire verdict is incorrect, override the verdict for the PE file on theHash Exceptionspage of Traps management service. Then perform aCheck Infrom the Traps console on the golden image.
- If you later rename the golden image, you must run thecytool vdi updateto update the golden image name in the registry.
Configure Traps for Temporary Sessions
To ensure Traps management service correctly identifies and manages the agent as a temporary session, perform the following workflow to install Traps on the snapshot:
- Install Traps Using Msiexec and include theTS_ENABLED=1flag.For example:msiexec /i c:\install\traps.msi /l*v C:\temp\trapsinstall.log /qn TS_ENABLED=1