Migrate from Traps Endpoint Security Manager to Traps Management Service

You can easily migrate the Traps agent from management by the Endpoint Security Manager (ESM) to Traps management service.
Before you migrate to Traps management service:
  • Review Differences Between Endpoint Security Manager and Traps Management Service to determine whether upgrading to Traps management service is right for you.
  • Upgrade the Traps agent to a release that supports migration:
    • To upgrade to Traps 5.0.3 or a later release
      , you must first upgrade to ESM and Traps agent 4.2.1.
    • To upgrade to Traps 5.0.2, 5.0.1, or 5.0.0
      on Windows or Mac endpoints, you must first upgrade to ESM 4.1.3 and Traps agent 4.1.0 or later versions. On Linux endpoints, you must first upgrade to ESM and Traps agent 4.2.0 or a later version.
  • Sanitize your security policy. Because the policy structure for Traps management service is different than ESM, you cannot migrate rules from an existing deployment. Before migrating to Traps management service, we recommend that you review existing user rules for each policy type and remove any that are no longer required. For example, remove any rules that are resolved in content updates or that apply to earlier versions of the Traps agent.
  • Review restore candidates. Before migrating to Traps management service, review any files that were quarantined and determine whether the file needs to be restored or you need to take any additional action to remediate the endpoint. After you upgrade the agent version to a Traps version supported by Traps management service, the agent will not communicate with the ESM and, therefore, will not respond to requests from the ESM to restore files.
  • Review security events. Review and address any events that require remediation before migrating to Traps management service. Note that security events that were not sent to the ESM before installing the new agents are not sent to Traps management service.
  • Locate your ESM Auth code. You can locate the Auth code in the Customer Support Portal (
    Assets
    Advanced Endpoint Protection
    ).
  1. As an existing ESM customer, you can use your ESM Auth code to activate Traps management service without purchasing additional licenses. Using the same Auth code enables you to apply the same license pool and expiration specifications to your Traps management service instance.
    Log into the Hub to activate Traps management service. During activation you can also associate Traps management service with a Cortex Data Lake instance and Directory Sync Service instance.
  2. Import hash overrides as hash exceptions in the Traps management service.
    1. From the ESM Console, select
      Settings
      .
    2. Generate
      a Tech Support File and download it when it finishes.
    3. Extract the
      TechSupport
      ZIP file which contains two zipped files (one for
      Core
      and one for
      Console
      ).
    4. Extract the
      Console
      ZIP file.
    5. Open the
      DBQueries
      folder and locate the
      Verdict_Override_Exports.csv
      file.
      This file contains all the hash overrides defined in the ESM Console.
    6. Log in to Traps management service and select
      Security
      Exceptions
      Hash Exceptions
      .
    7. Select
      Actions
      Import CVS
      .
    8. Select and then
      Upload
      the
      Verdict_Override_Exports.csv
      file.
      tms-exceptions-hash-import.png
      If necessary, resolve any conflicts encountered during the upload and retry.
    9. Select
      Import
      to confirm and then click
      OK
      when Traps management service finishes importing the hash exceptions.
  3. Migrate trusted signers and whitelisted paths.
    1. From Traps management service, Add a New Malware Security Profile for any platforms to which you want to add whitelisted signers or paths. Use the default profile settings, or modify an existing profile that you already created.
    2. To allow trusted signers previously seen in your environment, add the signer name (Windows) or SHA256 of the certificate that signs the file (macOS) to the
      Whitelist Signers
      list of the relevant Malware Security Profile.
    3. Evaluate the WildFire rule(s) for each platform on the ESM Console and identify any whitelisted paths that are still relevant and add them to the
      Whitelist Folders
      area of the appropriate Malware Security Profile on Traps management service.
      There may be more than one WildFire rule with whitelists. While the ESM merges WildFire rules, this capability is not available in Traps management service.
      Ensure that you migrate paths to the relevant Malware Security Profile for each platform:
      • Copy paths in macOS WildFire rules to the Mach-O Files whitelist in a macOS profile.
      • Copy paths in Windows WildFire rules for Executables or DLL files to the Portable Executables and DLLs whitelist in a Windows profile.
      • Copy paths in Windows WildFire rules for Office files to the Office Files whitelist in a Windows profile.
    4. Configure a Policy Rule for each group of target objects to which the profile (and any associated hash exceptions) applies.
      You can return to
      Security
      Profiles
      Malware Profile
      to specify the target objects after you upgrade the Traps agent.
  4. Migrate rules which disable protection on processes.
    For each remaining rule which disables protection on a specific process or disables a specific protection module on the process, record the endpoints target endpoints to which the exception applies, and then Create a Process Exception on the Traps management service. You can return to
    Process Exceptions
    to apply the exception to the specific endpoints after you upgrade the Traps agent.
  5. Upgrade the Traps agent to Traps 5.0 or a later release.
    To upgrade to Traps agent 5.0.3 or a later release, you must first upgrade Traps to 4.2.1 for all operating systems. To upgrade to Traps 5.0.0, 5,0.1, or 5.0.2 use the following guidelines for your Traps version:
    • Traps 4.1 (Windows and Mac) or Traps 4.2 (Linux) and later releases
      1. From Traps management service, Create an Installation Package with an installation type as
        Upgrade from ESM
        .
      2. Download the package to a location reachable to the ESM.
      3. From the ESM Console, disable services protection and then create an agent action rule to upgrade the Traps agent using the package created from Traps management service.
        Because this procedure is valid only for a specific version of Traps agents, we recommend using a condition for the action rule to upgrade the agents which specifies the Traps agent version.
      4. Save and Apply
        the rule.
    • Earlier Traps versions
      There are three options for upgrading earlier Traps versions:
      • Upgrade the earlier version to a version which supports migration using action rules, and then use the previous workflow to upgrade the Traps agent.
      • Upgrade the Traps agent using a third-party software deployment tool such as JAMF or SCCM. With this method you must uninstall the agent and install a fresh installation package of Traps 5.0 instead of an upgrade package.
      • Manually uninstall the earlier Traps agent and install a fresh installation package of Traps 5.0.
    After the upgraded Traps agent begins communicating with Traps management service. Endpoints that successfully check in with Traps management service are displayed on the Endpoints page and are eligible for assignment in Endpoint Groups and policy rules.
  6. Return to
    Policy Rules
    and
    Exceptions
    to restrict by specific endpoints.

Related Documentation