How to Enable Exploit Protection with Traps 4.1.2 and App Volumes 2.12
Symptom
The AppVolumes registry and file redirection mechanism interferes with Traps registry keys and files, which causes Traps process injection to fail. As a result, Traps exploit protection modules will not function.
Environment
This article applies to Traps 4.1.2 and later releases with App Volumes 2.12 and later releases.
Resolution
As a workaround to address this issue, AppVolumes supplies a configurable file which you can update so that the AppVolumes redirection mechanism will not interfere with registry keys and file operations in specific locations:
Exclude Traps paths:
- exclude_path=\Program Files (x86)\Palo Alto Networks\Traps
- exclude_path=\Program Files\Palo Alto Networks\Traps
- exclude_path=\ProgramData\Cyvera
Exclude Traps registry keys
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tlaservice
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyserver
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyveraservice
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyverak
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrfsfd
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cyvrmtgn
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\twdservice
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CYVERA
- exclude_registry=\REGISTRY\MACHINE\SOFTWARE\CYVERA
- exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Palo Alto Networks\Traps
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\tlaservice
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyserver
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyveraservice
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyverak
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrfsfd
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\cyvrmtgn
- exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\twdservice
Add the above values to the snapvol.cfg file according to the following VMware knowledge base article:
Excluding files and locations from Writable Volumes (2149892)
Disable the following processes from TRAPS Anti-Ransomware Module.
flexengine.exe
svoffice.exe
svservice.exe
flexservice.exe
ws_diag.exe
Flex+ Management Console.exe
FlexDiskService.exe
svcapture64.exe
flex+ self-support.exe
uemresult.exe
flexmigrate.exe
NOTE: For more information on how to configure the Anti-Ransomware policy, click the following Configure Anti-Ransomware Protection.
After you configure the file, Traps exploit protection functions as expected.
Attachments