Add a New Malware Security Profile

Malware security profiles allow you to configure the action Traps takes when known malware and unknown files try to run on Windows, Mac, Linux, and Android endpoints.
By default, the Traps agent will receive the default profile that contains a pre-defined configuration for each malware protection capability supported by the platform. To fine-tune your Malware security policy, you can override the configuration of each capability to block the malicious behavior or file, allow but report it, or disable the module.
To configure a Malware security profile:
  1. Add a new profile.
    To create an installation package or manage security profiles after February 26, 2019, you must first change the default uninstall password to a new password which meets Traps management service security standards. You must do this even if you previously set a password. After you set an uninstall password, you will not receive additional notifications. To later change the uninstall password, create an Agent Settings Profile that you can assign to a policy rule.
    1. From Traps management service, select Profiles.
    2. Select the operating system type to which the profile applies.
    3. CreateMalware Profile.
      profiles-malware.png
      Traps management service displays the security capabilities supported for the platform you selected. For details, see Protection Capabilities.
  2. Identify the profile.
    1. Enter a unique Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
  3. (Windows 7 with SP1 and later only) Configure Behavioral Threat Protection.
    Behavioral threat protection requires Traps agent 6.0 or a later release.
    With Behavioral threat protection, Traps continuously monitors endpoint activity to identify and analyze chains of events—known as causality chains—rather than a single event. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually. A causality chain can include any sequence of network, process, file, and registry activities on the endpoint. For more information on data collection for Behavioral Threat Protection, see Traps Data Collection.
    Palo Alto Networks researchers define the causality chains that are malicious and distribute those chains as behavioral threat rules. When Traps detects a match to a behavioral threat protection rule, Traps carries out the configured action (default is Block). In addition, Traps reports the behavior of the entire event chain up to the process, known as the causality group owner (CGO), that Traps identified as triggering the event sequence.
    To configure Behavioral Threat Protection:
    tms-malware-profile-btp.png
    1. Define the Action mode to take when Traps detects malicious causality chains.
      • Default—Use the default configuration to determine the action to take. Traps management service displays the default value in parenthesis. For example, Default (Block).
      • Block—Block all processes and threads in the event chain up to the CGO.
      • Report—Allow the activity but report it to Traps management service.
      • Disabled—Disable the module and do not analyze or report the activity.
    2. Define whether to quarantine the CGO when Traps detects a malicious event chain.
      • Default—Use the default configuration to determine the action to take. Traps management service displays the default value in parenthesis. For example, Default (Disabled).
      • Enabled—Quarantine the CGO if the file is not signed by a highly trusted signer. When the CGO is signed by a highly trusted signer or powershell.exe, wscript.exe, cscript.exe, mshta.exe, excel.exe, word.exe or powerpoint.exe, the Traps agent parses the command-line arguments and instead quarantines any scripts or files called by the CGO.
      • Disabled—Do not quarantine the CGO of an event chain nor any scripts or files called by the CGO.
    3. (Optional) Whitelist files that you do not want Traps to terminate when a malicious causality chain is detected.
      1. Add (+) a file path.
      2. Enter the file path you want to exclude from evaluation. Use ? to match a single character or * to match any string of characters.
      3. Click the check mark to confirm the file path.
      4. Repeat the process to whitelist any additional file paths.
  4. (Windows only) Configure Ransomware Protection to define the Action mode to take when Traps detects ransomware activity.
    • Default—Use the default configuration to determine the action to take. Traps management service displays the default value for each capability in parenthesis. For example, Default (Block).
    • Block—Block the activity.
    • Report—Allow the activity but report it to Traps management service.
    • Disabled—Disable the module and do not analyze or report the activity.
  5. (Windows only) Configure Traps to Prevent Malicious Child Process Execution.
    1. Select the Action mode to take when Traps detects malicious child process execution:
      • Default—Use the default configuration to determine the action to take. Traps management service displays the default value for each capability in parenthesis. For example, Default (Block).
      • Block—Block the activity.
      • Report—Allow the activity but report it to Traps management service.
      • Disabled—Disable the module and do not analyze or report the activity.
    2. To allow specific processes to launch child processes for legitimate purposes, whitelist the child process with optional execution criteria.
      Add (+) and then specify the whitelist criteria including the Parent Process Name, Child Process Name, and Command Line Params. Use ? to match a single character or * to match any string of characters.
      tms-malware-profile-child-process.png
      If you are adding child process evaluation criteria based on a specific security event, the event indicates both the source process and the command line parameters in one line. Copy only the command line parameter for use in the profile.
  6. (Linux only) Configure Reverse Shell Protection.
    The Reverse Shell Protection module enables Traps to detect and optionally block attempts to redirect standard input and output streams to network sockets.
    1. Define the Action mode to take when Traps detects the malicious behavior.
      • Default—Use the default configuration to determine the action to take. Traps management service displays the default value for each capability in parenthesis. For example, Default (Block).
      • Block—Block the activity.
      • Report—Allow the activity but report it to Traps management service.
      • Disabled—Disable the module and do not analyze or report the activity.
    2. (Optional) Whitelist processes that must redirect streams to network sockets.
      1. Click the + to add a connection.
      2. Enter the path of the process, and the local and remote IP address and ports.
        You can also use a wildcard to match a partial path name. Use a * to match any string of characters (for example, */bash). You can also use a * to match any IP address or any port.
        tms-profiles-malware-reverse-shell-protection.png
      3. Press Enter or click the check mark when done.
      4. Repeat to add additional folders.
  7. Configure Traps to examine executable files or DLL files on Windows endpoints, Mach-O files on Mac endpoints, ELF files on Linux endpoints, or APK files on Android endpoints.
    1. Configure the Action mode—the behavior of Traps—when malware is detected:
      • Default—Use the default configuration to determine the action to take. Traps management service displays the default value in parenthesis. For example, Default (Block).
      • Block—Block attempts to run malware.
      • Report—Report but do not block malware that attempts to run.
      • (Android only) Prompt—Enable Traps to prompt the user when malware is detected and allow the user to choose to allow malware, dismiss the notification, or uninstall the app.
      • Disabled—Disable the module and do not examine files for malware.
    2. Configure additional actions to examine files for malware.
      By default, Traps management service uses the settings specified in the default malware security profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
      • (Mac only) Upload Mach-O files for cloud analysis—Enable Traps to send unknown Mach-O files to Traps management service, which sends the files to WildFire for analysis. WildFire accepts files up to 100MB in size.
      • (Linux only) Upload ELF files for cloud analysis—Enable Traps to send unknown ELF files to the Traps management service, which sends the files to WildFire for analysis.
      • (Android only) Upload APK files for cloud analysis—Enable Traps to send unknown APK files to the Traps management service, which sends the files to WildFire for analysis. WildFire accepts files up to 100MB in size.
      • (Windows only) Quarantine malicious executables—By default, Traps blocks malware from running but does not quarantine the file. Enable this option to quarantine files when either WildFire or an administrative policy override identifies a file as malware. To quarantine files that are issued a malware verdict by Traps local analysis, enable Traps to Quarantine local analysis. Otherwise, if you disable this option (default), files with a malware verdict issued by local analysis will remain on the endpoint in its original location.
        The quarantine feature is not available for malware identified in network drives.
      • Treat grayware as malware—Treat all grayware with the same Action mode you configure for malware. Otherwise, if this option is disabled, grayware is considered benign and is not blocked.
      • (Windows only) Upload PE files for cloud analysis—Enable Traps to send unknown PE and DLL files to Traps management service, which sends the files to WildFire for analysis. WildFire accepts files up to 100MB in size.
      • Local analysis—Enable Traps to use embedded machine learning to determine the likelihood that an unknown file is malware and issue a local verdict for the file. When this option is disabled and you also configure Traps to block unknown files, users will not be permitted to open unknown files. As a result, the unknown file remains blocked until Traps receives an official WildFire verdict.
      • Block files with unknown verdict—When the file is unknown in the local and server cache, block it from running.
    3. (Optional) Whitelist folders from examination.
      1. Add (+) a folder.
      2. Enter the path and press Enter or click the check mark when done. You can also use a wildcard to match folders containing a partial name. Use ? to match a single character or * to match any string of characters. To match a folder, you must terminate the path with * to match all files in the folder (for example, c:\temp\*).
      3. Repeat to add additional folders.
    4. Whitelist signers from examination.
      1. Add (+) a trusted signer.
      2. Enter the name of the trusted signer (Windows) or the SHA1 hash of the certificate that signs the file (Mac) and press Enter or click the check mark when done. You can also use a wildcard to match a partial name for the signer. Use ? to match any single character or * to match any string of characters.
      3. Repeat to add additional folders.
  8. (Windows only) Configure Traps to examine macros in Microsoft Office files.
    1. Configure the Action mode—the behavior of Traps—when a malicious macros is detected:
      • Default—Use the default configuration to determine the action to take. Traps management service displays the default value in parenthesis. For example, Default (Block).
      • Block—Block attempts to run malicious macros.
      • Report—Report but do not block malicious macros that attempts to run.
      • Disabled—Disable the module and do not examine macro for malware.
    2. Configure additional actions to examine files for malware.
      By default, Traps management service uses the settings specified in the default malware security profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
      • Upload Office files for cloud analysis—Enable Traps to send Office files containing unknown macros to Traps management service, which sends the files to WildFire for analysis. Traps management service only uploads the Office file if it contains a macro. WildFire accepts files up to 100MB in size.
      • Examine Office files from network drives—Enable Traps to examine Microsoft Office files when they attempt to run from a network drive.
      • Local analysis—Enable Traps to use embedded machine learning to determine the likelihood that an unknown macro is malware and issue a local verdict for the file. When this option is disabled and you also configure Traps to block unknown files, users are not permitted to run unknown macros. As a result, the unknown macros remain blocked until Traps receives an official WildFire verdict.
      • Block files with unknown verdict—When the file is unknown in the local and server cache, block it from running.
    3. Whitelist Folders from examination.
      1. Add (+) a folder.
      2. Enter the path and press Enter or click the check mark when done. You can also use a wildcard to match a partial name for the folder. Use ? to match any single character or * to match any string of characters. To match a folder, you must terminate the path with * to match all files in the folder (for example, c:\temp\*).
      3. Repeat to add additional folders.
  9. (Windows only) Enable periodic scanning of malware.
    Periodic scanning enables you to Scan an Endpoint for Malware on a reoccurring basis without waiting for malware to run on the endpoint.
    tms-malware-profile-scanning.png
    1. Configure the Action mode for Traps to periodically scan the endpoint for malware: Enabled to scan at the configured intervals, Disabled if you don’t want Traps to scan the endpoint, or Default to use the default configuration to determine the action to take. The Traps management service displays the default value in parenthesis. For example, Default (Disabled).
    2. To configure the Scan schedule, set the frequency (Weekly or Monthly) and day and time at which the scan will run on the endpoint.
      Just as with an on-demand scan, a scheduled scan will resume after a reboot, process interruption, or operating system crash.
    3. To include removable media drives in the scheduled scan, enable Traps to Scan removable media drives.
      By default, Traps management service uses the settings specified in the default malware security profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
    4. Whitelist Folders from examination.
      1. Add (+) a folder.
      2. Enter the folder path. Use ? to match a single character or * to match any string of characters in the folder path (for example, C:\*\temp).
      3. Press Enter or click the check mark when done.
      4. Repeat to add additional folders.
  10. (Windows Vista and later Windows releases) Enable Password Theft Protection.
    Select Block to enable Traps to prevent attacks that use the Mimikatz tool to extract passwords from memory. When enabled, Traps silently prevents attempts to steal credentials (no notifications are provided when these events occur). Traps enables this protection module following the next endpoint reboot. If you don’t want to enable the module, select Disabled.
    This module is supported with Traps agent 5.0.4 and later release.
  11. Save the changes to your profile.
  12. Assign the profile to a policy rule (see Configure a Policy Rule).

Related Documentation