How to View and Manage the Traps Client Policy on the Endpoint (Traps Explorer)
Resolution
This article describes the steps suggested to view, interpret, and manage the Client Policy running on Endpoints protected by Traps Agent versions 3.3.x.
1.1 View the Client Policy on the Endpoint with TrapsExplorer
To facilitate the operation of viewing the Client Policy on the Endpoint, we have made available the TrapsExplorer utility.
As tuning Exploit Protection Modules (EPMs) configuration is the most common scenario, the current version of TrapsExplorer will only display Exploit Protection Modules (EPMs) configuration. Find it attached to this article.
Run the TrapsExplorer utility as Administrator.
- On start, TrapsExplorer will select the 'Default' policy that applies to all protected processes. Select any process from the list of protected processes on the left side to show the Exploit Protection Modules (EPMs) configuration for that process.
- On exit, TrapsExplorer will request entering the uninstall password to return the Service Protection configuration to the initial state.
Note: For TrapsExplorer to work, Service Protection needs to be disabled. If Registry Protection is enabled, TrapsExplorer will display an alert message and the status bar will be showing the following message in red "Registry Protections Status: ENABLED -- Click here to Enable". Click once on the status bar to switch Service Protection on or off. Entering the uninstall password is required.
1.2 View the Client Policy on the Endpoint
When Traps Explorer is not available, the Client Policy can still be investigated and can be found on the Endpoints in two locations.
- The XML file ClientPolicy.xml stores the full Client Policy coming from the Endpoint Security Manager (ESM). This file can be found in these locations:
Windows Vista and above: C:\ProgramData\Cyvera\LocalSystem
Windows XP: C:\Documents and Settings\All Users\Application Data\Cyvera\LocalSystem
- Limited to Agent Settings, Exploit Protection Modules (EPMs), and Malware Protection Modules (MPMs) configuration, the Client Policy is stored in the following registry path. This is the configuration that is utlimately applied by the protection modules.
HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy
Note: The registry path above is accessible for reading only if Service Protection, specifically Registry Protection, is disabled on the Agent. It is possible to set Service Protection for the Agents from the Settings > Agent > Settings page on the Endpoint Security Manager (ESM) Console. It is also possible to check and control the Service Protection status on the Endpoint, by using the cytool command line utility. For instance:
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect query
For more information about the cytool command line utility please refer to the 'Cytool' section of the Traps Administrator's Guide for version 3.3.x.
https://www.paloaltonetworks.com/documentation/33/endpoint/endpoint-admin-guide/troubleshooting/cytool.html
1.3 Interpret the Client Policy on the Endpoint
Without TrapsExplorer, interpreting the Exploit Protection Modules (EPMs) and Malware Protection Modules (MPMs) configuration from the Client Policy on the Registry and in the ClientPolicy.xml file requires knowledge of the Modules codes and the Registry Key structure. Find below a quick overview:
Exploit Protection Modules (EPMs) and Malware Protection Modules (MPMs) configuration can be found for each protected process individually or for all protected processes.
The HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy\Organization\Process\Default key stores the configuration that applies to all Protected Processes.
The HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy\Organization\Process\<Process_Name> keys store the process-specific configuration that applies over the 'Default' configuration when the process in specifically configured.
For instance:
- An "Enable" DWORD with value '0' in HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy\Organization\Process\Default\J01 means that JIT Mitigation (J01) is by default disabled for all protected processes.
- An "Enable" DWORD with value '1' in HKEY_LOCAL_MACHINE\SYSTEM\Cyvera\Policy\Organization\Process\acrobat.exe\J01 means that JIT Mitigation (J01) is enabled for acrobat.exe. This configuration overrides the Default configuration for acrobat.exe.
The end result of this example is that JIT Mitigation (J01) is disabled for all protected processes, but enabled for acrobat.exe.
2.1 Manage the Client Policy on the Endpoint without TrapsExplorer
The policy running on the Endpoint should be managed from the Endpoint Security Manager (ESM) Console.
In some circumstances, during isolation of compatibility issues, for instance, it can be helpful to manage the policy directly on the Endpoint. Most commonly, Exploit Protection Modules (EPMs) and Malware Protection Modules (MPMs) settings can be temporarily changed on the registry to confirm the outcome of a given configuration, before applying it from the Endpoint Security Manager (ESM) Console.
Follow these steps to temporarily change the Client Policy on the Endpoint:
- If required, disable Service Protection.
This is required to grant access to the relevant key in the Windows Registry.
It can be done from the Settings > Agent > Settings page on the Endpoint Security Manager (ESM) Console, or by using the cytool utility from an elevated command prompt.
Please note, it is necessary to enter the uninstall password to proceed with this step using the cytool utility.
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable
- Stop the Traps Windows NT Service.
Run the following from an elevated command prompt on the Endpoint.
Note: Make sure the Traps service will remain stopped for the whole duration of this activity. The service Startup Type may be set to "Disabled" if required.
sc stop CyveraService
- Change configuration and perform the necessary tests.
Access the Windows Registry and modify the content of the following key, according to the desired configuration.
Note that for configuration changes to apply, the process Traps injects to will need to be restarted. If the process injected to is a Windows process that cannot be terminated within this Windows Session (i.e. logonui.exe), a log-off or reboot is required.
- Return the Endpoint to the initial state.
If Service Protection was disabled on step (1) above, enable it again. It can be done from the Settings > Agent > Settings page on the Endpoint Security Manager (ESM) Console, or by using the cytool utility from an elevated command prompt.
Please note, it is necessary to enter the uninstall password to proceed with this step using the cytool utility.
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect policy
Run the following from an elevated command prompt on the Endpoint. Once the Traps service is started and a heartbeat is completed, the Client Policy will revert back to the one from the Endpoint Security Manager (ESM). No further action is required.
Note: Make sure the Traps service Startup Type is set back to the original value if it was modified on step (2) above.
sc start CyveraService
- Apply the new configuration.
Once isolation is completed, the Exploit Protection Module (EPM) configuration on the Endpoint Security Manager (ESM) can be updated with the new findings.
For instance, if it was found that disabling DLL Security (DllSec) on notepad++.exe allows to work around a compatiblity issue, this configuration can now be created on the Endpoint Security Manager (ESM) Console for the relevant Endpoints.
- Report to Support.
Please contact Palo Alto Networks Support to report the original issue, along with any information found during this investigation.
https://www.paloaltonetworks.com/company/contact-support
Important! Please proceed with caution during the steps above. While troubleshooting the Client Policy, the Endpoint should be isolated from the network and secured. While the Traps service is stopped, Wildfire, Restrictions, and Process Reporting will not work. Endpoint Protection Module (EPM) and Malware Protection Module (MPM) modules will. Also, the Agent will not communicate with the Endpoint Security Manager (ESM), so changes to the policies will not apply as long as the CyveraService service is stopped on the Endpoint.