Migrate from Traps Endpoint Security Manager to Traps Management Service
You can easily migrate the Traps agent from
management by the Endpoint Security Manager (ESM) to Traps management
service.
Before you migrate to Traps management service:
- Review Differences Between Endpoint Security Manager and Traps Management Service to determine whether upgrading to Traps management service is right for you.
- Upgrade the Traps agent to a release that supports migration:
- To upgrade to Traps 5.0.3 or a later release, you must first upgrade to ESM and Traps agent 4.2.1.
- To upgrade to Traps 5.0.2, 5.0.1, or 5.0.0on Windows or Mac endpoints, you must first upgrade to ESM 4.1.3 and Traps agent 4.1.0 or later versions. On Linux endpoints, you must first upgrade to ESM and Traps agent 4.2.0 or a later version.
- Sanitize your security policy. Because the policy structure for Traps management service is different than ESM, you cannot migrate rules from an existing deployment. Before migrating to Traps management service, we recommend that you review existing user rules for each policy type and remove any that are no longer required. For example, remove any rules that are resolved in content updates or that apply to earlier versions of the Traps agent.
- Review restore candidates. Before migrating to Traps management service, review any files that were quarantined and determine whether the file needs to be restored or you need to take any additional action to remediate the endpoint. After you upgrade the agent version to a Traps version supported by Traps management service, the agent will not communicate with the ESM and, therefore, will not respond to requests from the ESM to restore files.
- Review security events. Review and address any events that require remediation before migrating to Traps management service. Note that security events that were not sent to the ESM before installing the new agents are not sent to Traps management service.
- Locate your ESM Auth code. You can locate the Auth code in the Customer Support Portal ().
- As an existing ESM customer, you can use your ESM Auth code to activate Traps management service without purchasing additional licenses. Using the same Auth code enables you to apply the same license pool and expiration specifications to your Traps management service instance.Log into the Hub to activate Traps management service. During activation you can also associate Traps management service with a Cortex Data Lake instance and Directory Sync Service instance.
- Import hash overrides as hash exceptions in the Traps management service.
- From the ESM Console, selectSettings.
- Generatea Tech Support File and download it when it finishes.
- Extract theTechSupportZIP file which contains two zipped files (one forCoreand one forConsole).
- Extract theConsoleZIP file.
- Open theDBQueriesfolder and locate theVerdict_Override_Exports.csvfile.This file contains all the hash overrides defined in the ESM Console.
- Log in to Traps management service and select .
- Select .
- Select and thenUploadtheVerdict_Override_Exports.csvfile.
If necessary, resolve any conflicts encountered during the upload and retry. - SelectImportto confirm and then clickOKwhen Traps management service finishes importing the hash exceptions.
- Migrate trusted signers and whitelisted paths.
- From Traps management service, Add a New Malware Security Profile for any platforms to which you want to add whitelisted signers or paths. Use the default profile settings, or modify an existing profile that you already created.
- To allow trusted signers previously seen in your environment, add the signer name (Windows) or SHA256 of the certificate that signs the file (macOS) to theWhitelist Signerslist of the relevant Malware Security Profile.
- Evaluate the WildFire rule(s) for each platform on the ESM Console and identify any whitelisted paths that are still relevant and add them to theWhitelist Foldersarea of the appropriate Malware Security Profile on Traps management service.There may be more than one WildFire rule with whitelists. While the ESM merges WildFire rules, this capability is not available in Traps management service.Ensure that you migrate paths to the relevant Malware Security Profile for each platform:
- Copy paths in macOS WildFire rules to the Mach-O Files whitelist in a macOS profile.
- Copy paths in Windows WildFire rules for Executables or DLL files to the Portable Executables and DLLs whitelist in a Windows profile.
- Copy paths in Windows WildFire rules for Office files to the Office Files whitelist in a Windows profile.
- Configure a Policy Rule for each group of target objects to which the profile (and any associated hash exceptions) applies.You can return to to specify the target objects after you upgrade the Traps agent.
- Migrate rules which disable protection on processes.For each remaining rule which disables protection on a specific process or disables a specific protection module on the process, record the endpoints target endpoints to which the exception applies, and then Create a Process Exception on the Traps management service. You can return toProcess Exceptionsto apply the exception to the specific endpoints after you upgrade the Traps agent.
- Upgrade the Traps agent to Traps 5.0 or a later release.To upgrade to Traps agent 5.0.3 or a later release, you must first upgrade Traps to 4.2.1 for all operating systems. To upgrade to Traps 5.0.0, 5,0.1, or 5.0.2 use the following guidelines for your Traps version:
- Traps 4.1 (Windows and Mac) or Traps 4.2 (Linux) and later releases
- From Traps management service, Create an Installation Package with an installation type asUpgrade from ESM.
- Download the package to a location reachable to the ESM.
- From the ESM Console, disable services protection and then create an agent action rule to upgrade the Traps agent using the package created from Traps management service.Because this procedure is valid only for a specific version of Traps agents, we recommend using a condition for the action rule to upgrade the agents which specifies the Traps agent version.
- Save and Applythe rule.
- Earlier Traps versionsThere are three options for upgrading earlier Traps versions:
- Upgrade the earlier version to a version which supports migration using action rules, and then use the previous workflow to upgrade the Traps agent.
- Upgrade the Traps agent using a third-party software deployment tool such as JAMF or SCCM. With this method you must uninstall the agent and install a fresh installation package of Traps 5.0 instead of an upgrade package.
- Manually uninstall the earlier Traps agent and install a fresh installation package of Traps 5.0.
After the upgraded Traps agent begins communicating with Traps management service. Endpoints that successfully check in with Traps management service are displayed on the Endpoints page and are eligible for assignment in Endpoint Groups and policy rules. - Return toPolicy RulesandExceptionsto restrict by specific endpoints.