Add a New Agent Settings Profile

Agent Settings Profiles enable you to customize Traps settings for different platforms and groups of users.
  1. Add a new profile.
    1. From Traps management service, select SecurityProfiles.
    2. Select the operating system type to which the profile applies.
    3. CreateAgent Settings.
      Traps management service displays the settings that you can configure for the platform you selected.
  2. Define the basic settings.
    1. Enter a unique Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
  3. (Windows, Mac, and Linux only) Configure the Disk Space to allot for Traps logs.
    Specify a value in MB from 100 to 10,000 (default is 5,000).
  4. (Windows and Mac only) Configure User Interface options for the Traps console.
    By default, Traps management service uses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
    • Hide tray icon—Enable this option to hide the Traps icon from the notification area (system tray).
    • Disable access to the Traps console—Enable this option to prevent users from opening the Traps console.
    • Hide Traps user notifications—Enable this option to operate Traps in silent mode where the Traps agent does not display any notifications in the notification area.
  5. (Android only) Configure network usage preferences.
    When the option to Upload Using Cellular Data is enabled, Traps uses cellular data to send unknown apps to the Traps management service for inspection. Standard data charges may apply. When this option is disabled, Traps queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
  6. (Windows only) Configure Agent Security options that prevent unauthorized access or tampering with Traps components.
    Similar to the User Interface options, use the default agent settings or customize them for the profile. To customize agent security capabilities:
    1. Enable or disable Traps Tampering Protection.
    2. Configure granular protection options for Traps services, processes, files, and registry values, as needed. With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
  7. (Windows and Mac only) Set a password the user must enter to uninstall the Traps agent.
    The uninstall password is encrypted using encryption algorithm (PBKDF2) when transferred between Traps management service and Traps agents.
    The default uninstall password is Password1. To set a new password, the password must satisfy the following requirements:
    • Contain eight or more characters.
    • Contain English letters, numbers, or any of the following symbols: !()-._`~@#"'.
    To change the password:
    1. Edit the Uninstall Password.
    2. Enter and confirm the new uninstall password.
  8. (Windows only) Configure Windows Security Center Configuration.
    The Windows Security Center is a reporting tool which monitors the system health and security state of Windows endpoints on Windows 7 and later releases. By default, Traps registers to the Windows Security Center as an official Antivirus (AV) software product and enables Windows to install updates for Meltdown/Spectra vulnerability patches. If you do not want to allow Windows to automatically install patches, change the setting to Enabled (No Patches) or, to disable Traps registration to the Windows Security Center completely, select Disabled. When registration is disabled, the Action Center indicates Virus protection is Off.
  9. (Windows only) Configure Forensics data collection options.
    When a process-related security event occurs on the endpoint, Traps collects the contents of memory and other data about the event in what is known as a memory dump. You can customize the size of the forensic data collection—Small, Medium, or Full (the largest and most complete set of information)—and whether to send the memory dumps to the Traps management service automatically. During event investigation, if automatic uploading of prevention data was disabled, you can manually retrieve the data.
  10. (Windows, Mac, and Linux only) Enable Traps to Monitor and collect endpoint events for use by apps on the Cortex platform.
    Event monitoring and data collection requires:
    • Traps agent 6.0 or a later release for Windows endpoints, and Traps agent 6.1 or later releases for Mac and Linux endpoints.
    • An active Cortex XDR license and allocated log storage in your Cortex Data Lake instance.
    When enabled, Traps collects detailed information about all active file, process, network, and registry activity on an endpoint. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, Traps will not share endpoint activity logs.
    When you enable EDR data collection, you must also allocate log storage for EDR data in your Cortex Data Lake instance.
  11. (Windows only) If you need to isolate an endpoint but want to allow access for a specific application (for example communication between the VDI process and a VDI server), add the process to the Network Isolation Whitelist.
    When you whitelist a specific application from network isolation, the Traps agent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if Traps continues to block a whitelisted application, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then whitelist that process.
    1. Add (+) an entry to the whitelist.
    2. Specify the Process Path you want to allow and the IPv4 or IPv6 address of the endpoint. Use the * wildcard on either side to match any process or IP address. For example, specify * as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify * as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
    3. Click the check mark when finished.
  12. Save the changes to your profile.
  13. Assign the profile to a policy (see Configure a Policy Rule).

Related Documentation