Palo Alto Networks Knowledgebase: How to Enable Exploit Protection with Traps 4.1.2 and App Volumes 2.12

How to Enable Exploit Protection with Traps 4.1.2 and App Volumes 2.12

2804
Created On 09/25/18 18:17 PM - Last Updated 02/19/20 17:09 PM
Advanced Endpoint Protection Cortex XDR Traps
Symptom

The AppVolumes registry and file redirection mechanism interferes with Traps registry keys and files, which causes Traps process injection to fail. As a result, Traps exploit protection modules will not function.



 Environment
This article applies to Traps 4.1.2 and later releases with App Volumes 2.12 and later releases.

 Resolution

As a workaround to address this issue, AppVolumes supplies a configurable file which you can update so that the AppVolumes redirection mechanism will not interfere with registry keys and file operations in specific locations:

Exclude Traps paths:

  • exclude_path=\Program Files (x86)\Palo Alto Networks\Traps
  • exclude_path=\Program Files\Palo Alto Networks\Traps
  • exclude_path=\ProgramData\Cyvera

Exclude Traps registry keys
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tlaservice
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyserver
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyveraservice
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyverak
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrfsfd
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrmtgn
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\twdservice
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CYVERA
  • exclude_registry=\REGISTRY\MACHINE\SOFTWARE\CYVERA
  • exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Palo Alto Networks\Traps
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tlaservice
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyserver
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyveraservice
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyverak
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrfsfd
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrmtgn
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\twdservice

Add the above values to the snapvol.cfg file according to the following VMware knowledge base article:
Excluding files and locations from Writable Volumes (2149892)


Disable the following processes from TRAPS Anti-Ransomware Module.
flexengine.exe
svoffice.exe
svservice.exe
flexservice.exe
ws_diag.exe
Flex+ Management Console.exe
FlexDiskService.exe
svcapture64.exe
flex+ self-support.exe
uemresult.exe
flexmigrate.exe

NOTE: For more information on how to configure the Anti-Ransomware policy, click the following Configure Anti-Ransomware Protection.

After you configure the file, Traps exploit protection functions as expected. 



 Attachments
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOcCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language