Features Introduced in Traps Agent 6.0

Describes the new features introduced in Traps agent 6.0 releases.
The following topics describe the new features introduced in Traps agent 6.0 releases.
For additional information on how to use the new features in this release, refer to the Traps Agent 6.0 Administrator’s Guide.

Features Introduced in Traps Agent 6.0.3

No new features were introduced in Traps agent 6.0.3 release.

Features Introduced in Traps Agent 6.0.2

The following table describes the new features introduced in Traps agent 6.0.2 release.
Feature
Description
Enhanced Logs for Child Process Events
To aid in the investigation of events triggered by the Child Process Protection module, Traps now collects the following information in the security event log:
  • The matching rule name
  • Parent and child process name
  • Any command-line arguments supplied when calling the processes
Content Update Distribution Enhancement
To reduce bandwidth load when distributing the latest content update, the Traps agent now staggers the time at which it will retrieve the content update from Traps management service. When a new content update is available, Traps agents randomly choose a time within a six hour window to retrieve the content update. This prevents bandwidth saturation due to a high volume and size of content updates.
macOS 10.14.5 Support
You can now install Traps on macOS 10.14.5. For complete compatibility information, see Palo Alto Networks Compatibility Matrix.

Features Introduced in Traps Agent 6.0.1

The following table describes the new features introduced in Traps agent 6.0.1 release.
Feature
Description
Windows Server 2019 Support
You can now install Traps on Windows Server 2019. For complete compatibility information, see Palo Alto Networks Compatibility Matrix.

Features Introduced in Traps Agent 6.0.0

The following table describes the new features introduced in Traps agent 6.0.0 release.
Feature
Description
EDR Data Collection
(
Windows 7 with SP1 and later releases
)
Traps can now collect detailed information about all active process, network, file, and registry activity on an endpoint and share that data with other Cortex apps. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack, the endpoints that were involved, and the damage caused.
When you enable Traps to
Monitor and collect endpoint events
in your Agent Settings profile, you must also allocate log storage in your Cortex Data Lake instance.
Traps for Linux Containers
Traps now extends Linux exploit and malware protection to processes that run in Linux containers. Now, when you install Traps on a Linux server, Traps automatically protects any new and existing containerized processes regardless of the container solution (for example, docker). Because Traps management service issues the license per Linux server, each container does not consume any additional licenses.
Due to compatibility issues, Traps ROP Mitigation and Brute Force Protection for containerized processes are disabled when glibc isn’t installed on the container image. All other exploit and malware protection functionality work as expected.
Malware Protection for Linux
Traps for Linux can now prevent known and unknown malware on Linux servers by leveraging WildFire threat intelligence and local analysis to analyze ELF files. When an ELF file executes on the host server or within a container on the Traps-protected host, Traps automatically suspends the execution until a WildFire or local analysis verdict is obtained. When the verdict is malware, Traps prevents the process execution and reports the event to the Traps management service. If the ELF file is unknown to WildFire, Traps can also upload it to WildFire for further analysis.
For compatibility reasons, malware analysis of ELF files on Linux servers requires kernel 3.4 and later versions released before February 4, 2019. Linux servers running other kernel versions will operate in asynchronous mode where the agent will obtain a verdict for the executed ELF file in parallel to its execution and terminate it if a malware verdict is obtained.
Response Actions
(
Windows only
)
After assessing a security event on a Windows endpoint, you can now initiate new response actions to remediate the endpoint. The actions that are available depend on the type of security event.
  • Isolate Endpoint—Halt all network access except for communication with Traps management service.
  • Quarantine (and restore)—Limited to malware and grayware events for PEs and DLLs (you cannot quarantine Microsoft Office files containing macros)
  • Terminate Process—Stop the process on the endpoint. This action is not available for events that were the result of a scan (where the process wasn’t actually running) and for events where the process was already blocked per the policy.
If you also use Cortex XDR – Investigation and Response for complete visibility across Cortex XDR – Analytics (formerly Magnifier) and Traps, you can initiate the response actions from the app. Traps management service coordinates with the Traps agent on the endpoint to enforce the response actions and tracks the action status.
Behavioral Threat Protection
(
Windows 7 with SP1 and later only
)
To expand Traps malware protection capabilities on Windows endpoints, Traps introduces the new Behavioral Threat Protection module. With behavioral threat protection, Traps continuously monitors endpoint activity to identify and analyze chains of events—known as
causality chains
—rather than a single event. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
When Traps detects matching activity, Traps performs the configured action and reports details about the activities that led to the security event. You can review the entire causality chain up to the causality group owner on the
Analysis
tab of a security event. If after analyzing the flow of events, you believe the behavior is legitimate, you can define a policy exception from the security event to disable to the behavior rule on the endpoint.
New Linux OS Support
You can now install Traps on the following Linux operating systems:
  • Amazon Linux AMI 2017.03, 2017.09, and 2018.03
  • Ubuntu Server 18
For complete compatibility information, see the Palo Alto Networks Compatibility Matrix.
Control Flow Guard Compatibility
(
Windows only
)
When you install Traps on Windows 10 and Windows 8.1 endpoints with Microsoft Control Flow Guard (CFG), Traps can now support all exploit protection capabilities in parallel. To support Traps and CFG, Traps can now inject its DLLs into CFG-protected processes.
Virtual IP Address Support
(
Windows only
)
When you install Traps on Windows Servers with a virtual IP address, and a user connects to the server over RDP, the Traps agent can now connect to Traps management service.
Uninstall Protection for Mac Endpoints
The Traps agent now provides additional tampering protection against attempts to uninstall the Traps agent on Mac endpoints. The uninstall password you configure when you first set up an installation package or configure a security profile now applies to Mac installations. You can later change the uninstall password in an Agent Settings profile. Users must supply the uninstall password when uninstalling the Traps agent. In addition, Traps now requires the uninstall password when using Cytool to stop, restart, or manage services for the Traps agent. For an additional layer of protection, the uninstall script provides strong encryption of the uninstall password to prevent attempts to obtain the password.

Related Documentation