Traps

Cyberattacks are attacks performed on networks or endpoints to inflict damage, steal information, or achieve other goals that involve taking control of computer systems that do not belong to the attackers. These adversaries perpetrate cyberattacks either by causing a user to unintentionally run a malicious executable file, known as malware, or by exploiting a weakness in a legitimate executable file to run malicious code behind the scenes without the knowledge of the user.
One way to prevent these attacks is to identify executable files, dynamic-link libraries (DLLs), and other pieces of code to determine if they are malicious and, if so, to prevent them from executing by testing each potentially dangerous code module against a list of specific, known threat signatures. The weakness of this method is that it is time-consuming for signature-based antivirus (AV) solutions to identify newly created threats that are known only to the attacker (also known as zero-day attacks or exploits) and add them to the lists of known threats, which leaves endpoints vulnerable until signatures are updated.
Traps takes a more efficient and effective approach to preventing attacks that eliminates the need for traditional AV. Rather than try to keep up with the ever-growing list of known threats, Traps sets up a series of roadblocks—traps, if you will—that prevent the attacks at their initial entry points—the point where legitimate executable files are about to unknowingly allow malicious access to the system.
Traps provides a multi-method protection solution with exploit protection modules that target software vulnerabilities in processes that open non-executable files and malware protection modules that examine executable files, DLLs, and macros for malicious signatures and behavior. Using this multi-method approach, the Traps solution can prevent all types of attacks, whether they are known or unknown threats.
traps-multi-method-prevention.png

Exploit Protection Overview

An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use these exploits to access and use a system to their advantage. To gain control of a system, the attacker must exploit a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the entire exploitation attempt.
To combat an attack in which an attacker takes advantage of a software exploit or vulnerability, Traps employs exploit protection modules (EPMs). Each EPM targets a specific type of exploit attack in the attack chain. Some capabilities that Traps EPMs provide are reconnaissance prevention, memory corruption prevention, code execution prevention, and kernel protection.

Malware Protection Overview

Malicious files, known as malware, are often disguised as or embedded in non-malicious files. These files can attempt to gain control, gather sensitive information, or disrupt the normal operations of the system. Traps prevents malware by employing the Malware Prevention Engine. This approach combines several layers of protection to prevent both known and unknown malware that has not been seen before from causing harm to your endpoints. The mitigation techniques that the Malware Prevention Engine employs vary by the endpoint type:

Malware Protection for Windows

  • WildFire integration—Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence.
  • Local static analysis—Enables Traps to use machine learning to analyze unknown files and issue a verdict. Traps uses the verdict returned by the local analysis module until it receives a verdict from Traps management service.
  • DLL file protection—Enables Traps to block known and unknown DLLs on Windows endpoints.
  • Office file protection—Enables Traps to block known and unknown macros when run from Microsoft Office files on Windows endpoints.
  • Behavioral threat protection (Windows 7 SP1 and later versions)—Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as causality chains. This enables Traps to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.0 or later.
  • Evaluation of trusted signers—Permits unknown files that are signed by highly trusted signers to run on the endpoint.
  • Malware protection modules—Targets behaviors—such as those associated with ransomware—and enables you to block the creation of child processes.
  • Policy-based restrictions—Enables you to block files from executing from within specific local folders, network folders, or external media locations.
  • Periodic and automated scanning—Enables you to block dormant malware that has not yet tried to execute on endpoints.

Malware Protection for Mac

  • WildFire integration—Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence.
  • Local static analysis—Enables Traps to use machine learning to analyze unknown files and issue a verdict. Traps uses the verdict returned by the local analysis module until it receives the WildFire verdict from Traps management service.
  • Behavioral threat protection—Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as causality chains. This enables Traps to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.1 or later.
  • Mach-O file protection—Enables you to block known malicious and unknown mach-o files on Mac endpoints.
  • Evaluation of trusted signers—Permits unknown files that are signed by trusted signers to run on the endpoint.

Malware Protection for Linux

  • WildFire integration—Enables automatic detection of known malware and analysis of unknown malware using WildFire threat intelligence. WildFire integration requires Traps agent 6.0 or later.
  • Local static analysis—Enables Traps to use machine learning to analyze unknown files and issue a verdict. Traps uses the verdict returned by the local analysis module until it receives the WildFire verdict from Traps management service. Local analysis requires Traps agent 6.0 or later.
  • Behavioral threat protection—Enables continuous monitoring of endpoint activity to identify and analyze chains of events—known as causality chains. This enables Traps to detect malicious activity that could otherwise appear legitimate if inspected as individual events. Behavioral threat protection requires Traps agent 6.1 or later.
  • ELF file protection—Enables you to block known malicious and unknown ELF files executed on a host server or within a container on a Traps-protected endpoint. Traps automatically suspends the file execution until a WildFire or local analysis verdict is obtained. ELF file protection requires Traps agent 6.0 or later.
  • Malware protection modules—Targets the execution behavior of a file—such as those associated with reverse shell protection.

Related Documentation