Protection Modules

Each security profile applies multiple security modules to protect your endpoints from a wide range of attack techniques. While the settings for each module are not configurable, Traps activates a specific protection module depending on the type of attack, the configuration of your security policy, and the operating system of the endpoint. When a security event occurs, Traps logs details about the event including the security module employed by Traps to detect and prevent the attack based on the technique. To help you understand the nature of the attack, Traps management service identifies the protection module Traps employed in the Security Event Details.
The following table lists the modules and the platforms on which they are supported. A dash (—) indicates the module is not supported.
Module
Windows
Mac
Linux
Android
Anti-Ransomware
Targets encryption-based activity associated with ransomware and has the ability to analyze and halt ransomware activity before any data loss occurs.
check-mark.png
APC Protection
Prevents attacks that change the execution order of a process by redirecting an asynchronous procedure call (APC) to point to the malicious shellcode.
check-mark.png
Behavioral Threat
Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains.
check-mark.png
check-mark.png
check-mark.png
Brute Force Protection
Prevents attackers from hijacking the process control flow by monitoring memory layout enumeration attempts.
check-mark.png
Child Process Protection
Prevents script-based attacks that are used to deliver malware, such as ransomware, by blocking known targeted processes from launching child processes that are commonly used to bypass traditional security approaches.
check-mark.png
CPL Protection
Protects against vulnerabilities related to the display routine for Windows Control Panel Library (CPL) shortcut images, which can be used as a malware infection vector.
check-mark.png
Data Execution Prevention (DEP)
Prevents areas of memory defined to contain only data from running executable code.
check-mark.png
DLL Hijacking
Prevents DLL-hijacking attacks where the attacker attempts to load dynamic-link libraries on Windows operating systems from unsecure locations to gain control of a process.
check-mark.png
DLL Security
Prevents access to crucial DLL metadata from untrusted code locations.
check-mark.png
Dylib Hijacking
Prevents Dylib-hijacking attacks where the attacker attempts to load dynamic libraries on Mac operating systems from unsecure locations to gain control of a process.
check-mark.png
Exploit Kit Fingerprint
Protects against the fingerprinting technique used by browser exploit kits to identify information—such as the OS or applications which run on an endpoint—that attackers can leverage when launching an attack to evade protection capabilities.
check-mark.png
Font Protection
Prevents improper font handling, a common target of exploits.
check-mark.png
Gatekeeper Enhancement
Enhances the macOS gatekeeper functionality that allows apps to run based on their digital signature. This module provides an additional layer of protection by extending gatekeeper functionality to child processes so you can enforce the signature level of your choice.
check-mark.png
Hash Exception
Halts execution of files that an administrator identified as malware regardless of the WildFire verdict.
check-mark.png
check-mark.png
Hot Patch Protection
Prevents the use of system functions to bypass DEP and address space layout randomization (ASLR).
check-mark.png
JIT
Prevents an attacker from bypassing the operating system's memory mitigations using just-in-time (JIT) compilation engines.
check-mark.png
check-mark.png
Local Analysis
Examines hundreds of characteristics of an unknown executable file, DLL, or macro to determine if it is likely to be malware. The local analysis module uses a statistical model that was developed using machine learning on WildFire threat intelligence.
check-mark.png
check-mark.png
Local Privilege Escalation Protection
Prevents attackers from performing malicious activities that require privileges that are higher than those assigned to the attacked or malicious process.
check-mark.png
check-mark.png
check-mark.png
Null Dereference
Prevents malicious code from mapping to address zero in the memory space, making null dereference vulnerabilities unexploitable.
check-mark.png
Restricted Execution - Local Path
Prevents unauthorized execution from a local path.
check-mark.png
Restricted Execution - Network Location
Prevents unauthorized execution from a network path.
check-mark.png
Restricted Execution - Removable Media
Prevents unauthorized execution from removable media.
check-mark.png
Reverse Shell Protection
Blocks malicious activity where an attacker redirects standard input and output streams to network sockets.
check-mark.png
ROP
Protects against the use of return-oriented programming (ROP) by protecting APIs used in ROP chains.
check-mark.png
check-mark.png
check-mark.png
SEH
Prevents hijacking of the structured exception handler (SEH), a commonly exploited control structure that can contain multiple SEH blocks that form a linked list chain, which contains a sequence of function records.
check-mark.png
Shellcode Protection
Reserves and protects certain areas of memory commonly used to house payloads using heap spray techniques.
check-mark.png
ShellLink
Prevents shell-link logical vulnerabilities.
check-mark.png
SysExit
Prevents using system calls to bypass other protection capabilities.
check-mark.png
UASLR
Improves or altogether implements ASLR (address space layout randomization) with greater entropy, robustness, and strict enforcement.
check-mark.png
WildFire
Leverages WildFire for threat intelligence to determine whether a file is malware. In the case of unknown files, Traps management service can forward samples to WildFire for in-depth analysis.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
WildFire Post-Detection (Malware and Grayware)
Identifies a file that was previously allowed to run on an endpoint that is now determined to be malware. Post-detection events provide notifications for each endpoint on which the file executed.
check-mark.png
check-mark.png
check-mark.png
check-mark.png

Related Documentation