Add a New Agent Settings Profile
Agent Settings Profiles enable you to customize Traps settings for different platforms and groups of users.
- Add a new profile.
- From Traps management service, select SecurityProfiles.
- Select the operating system type to which the profile applies.
Settings.Traps management service displays the settings that you can configure for the platform you selected.
- Define the basic settings.
- Enter a unique Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
- To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
- (Windows, Mac, and Linux only) Configure the Disk
Space to allot for Traps logs.Specify a value in MB from 100 to 10,000 (default is 5,000).
- (Windows and Mac only) Configure User
Interface options for the Traps console.By default, Traps management service uses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
- Hide tray icon—Enable this option to hide the Traps icon from the notification area (system tray).
- Disable access to the Traps console—Enable this option to prevent users from opening the Traps console.
- Hide Traps user notifications—Enable this option to operate Traps in silent mode where the Traps agent does not display any notifications in the notification area.
- (Android only) Configure network usage preferences.When the option to Upload Using Cellular Data is enabled, Traps uses cellular data to send unknown apps to the Traps management service for inspection. Standard data charges may apply. When this option is disabled, Traps queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
- (Windows only) Configure Agent Security options
that prevent unauthorized access or tampering with Traps components.Similar to the User Interface options, use the default agent settings or customize them for the profile. To customize agent security capabilities:
- Enable or disable Traps Tampering Protection.
- Configure granular protection options for Traps services, processes, files, and registry values, as needed. With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
- (Windows and Mac only) Set a password the user
must enter to uninstall the Traps agent.The uninstall password is encrypted using encryption algorithm (PBKDF2) when transferred between Traps management service and Traps agents.The default uninstall password is Password1. To set a new password, the password must satisfy the following requirements:
To change the password:
- Contain eight or more characters.
- Contain English letters, numbers, or any of the following symbols: !()-._`~@#"'.
- Edit the Uninstall Password.
- Enter and confirm the new uninstall password.
- (Windows only) Configure Windows
Security Center Configuration.The Windows Security Center is a reporting tool which monitors the system health and security state of Windows endpoints on Windows 7 and later releases. By default, Traps registers to the Windows Security Center as an official Antivirus (AV) software product and enables Windows to install updates for Meltdown/Spectra vulnerability patches. If you do not want to allow Windows to automatically install patches, change the setting to Enabled (No Patches) or, to disable Traps registration to the Windows Security Center completely, select Disabled. When registration is disabled, the Action Center indicates Virus protection is Off.
- (Windows only) Configure Forensics data
collection options.When a process-related security event occurs on the endpoint, Traps collects the contents of memory and other data about the event in what is known as a memory dump. You can customize the size of the forensic data collection—Small, Medium, or Full (the largest and most complete set of information)—and whether to send the memory dumps to the Traps management service automatically. During event investigation, if automatic uploading of prevention data was disabled, you can manually retrieve the data.
- (Windows, Mac, and Linux only) Enable Traps
to Monitor and collect endpoint events for
use by apps on the Cortex platform.Event monitoring and data collection requires:
When enabled, Traps collects detailed information about all active file, process, network, and registry activity on an endpoint. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, Traps will not share endpoint activity logs.When you enable EDR data collection, you must also allocate log storage for EDR data in your Cortex Data Lake instance.
- Traps agent 6.0 or a later release for Windows endpoints, and Traps agent 6.1 or later releases for Mac and Linux endpoints.
- An active Cortex XDR license and allocated log storage in your Cortex Data Lake instance.
- (Windows only) If you need to isolate an endpoint
but want to allow access for a specific application (for example
communication between the VDI process and a VDI server), add the
process to the Network Isolation Whitelist.When you whitelist a specific application from network isolation, the Traps agent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if Traps continues to block a whitelisted application, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then whitelist that process.
- Add (+) an entry to the whitelist.
- Specify the Process Path you want to allow and the IPv4 or IPv6 address of the endpoint. Use the * wildcard on either side to match any process or IP address. For example, specify * as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify * as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
- Click the check mark when finished.
- Save the changes to your profile.
- Assign the profile to a policy (see Configure a Policy Rule).
Features Introduced in Traps Agent
Describes the new features introduced in Traps agent 6.0 releases. ...
Migrate from the Traps Endpoint Security Manager to the Tra...
Migrate from Traps Endpoint Security Manager to Traps Management Service You can easily migrate the Traps agent from management by the Endpoint Security Manager (ESM) ...
Traps Agent 5.0 for Windows
To uninstall, use, and upgrade the Traps agent 5.0 on Windows endpoints, see the references in this topic. ...
Traps Agent 6.0 for Windows
To uninstall, use, and upgrade the Traps agent 6.0 on Windows endpoints, see the references in this topic. ...
Traps Agent 6.1 for Windows
To uninstall, use, and upgrade the Traps agent 6.1 on Windows endpoints, see the references in this topic. ...
Features Introduced in 2018
Introducing new features in the Traps management service by month during 2018. ...
Customizable Traps Settings
Customizable Traps Settings Each Agent Settings Profile provides a tailored list of settings that you can configure for the platform you select. The following table ...
Add a New Malware Security Profile
Add a New Malware Security Profile Malware security profiles allow you to configure the action Traps takes when known malware and unknown files try to ...