Traps 3.3.3 Changes Default Behaviour
11282
Created On 09/25/18 19:03 PM - Last Modified 06/08/23 06:30 AM
Resolution
With the release of the new Endpoint version of Traps 3.3.3 come some changes to the default behaviour and some addressed issues -- please review below.
Changes to Default Behavior in 3.3.3
Changes to the exploit protection policy now reduce the amount of fine-tuning required when you deploy the Endpoint Security Manager software out-of-the-box.
Previously, the exploit protection policy used a hyper-sensitive approach to prevent exploits. Although this provided the best coverage possible, this also caused Traps to prevent the behavior of some legitimate applications.
Starting with Traps 3.3.3, the exploit protection policy now leverages multi-layer protection capabilities and contains rules that use as a combination of different modules instead of their individual capabilities. This approach enables a more lenient default exploit protection policy while delivering the same overall detection, protection, and prevention capabilities. To provide this approach, the policy of some modules is refined and adjusted to better distinguish between legitimate and malicious behaviors. In addition, modules that are no longer relevant in newer operating systems are disabled.
After upgrading to this version of the Endpoint Security Manager, review the current policy and remove
any conflicting user-defined rules. This ensures that changes to the default policy will take effect.
The changes to the default policy are detailed below:
- The following processes are no longer protected by default (for the full list, see Process Protection):
After upgrading to this version of the Endpoint Security Manager, review the current policy and
remove the process from any user-defined rules. Then, from the Process Management page, change
the protection type for each process listed below to Unprotected (see View, Modify, or Delete a Process).
Issues Addressed in Traps 3.3.3
The following table lists the issues that are fixed in the Traps™ 3.3.3 release. For new features introduced in Traps 3.3, as well as known issues and limitations, see Traps 3.3 Release Information.
| Issue Identifier | Description |
|---|---|
| CYV-8722 | Fixed an issue with the VDI Tool where Traps localized the name of the Background Intelligent Transfer Service (BITS) in some non-English operating systems. With this fix, the localization requirement is removed. |
| CYV-8658 | Fixed an issue on machines running both Traps and McAfee Solidcore that caused Thread Injection to stop responding. With this fix, the agent now disables Thread Injection on machines with McAfee Solidcore. |
| CYV-8634 | Fixed an issue that prevented users from deleting protected processes when the process was tied to an inactive rule. With this fix, when you upgrade the ESM Server and the rule was removed from the default policy, the ESM Server removes the rule and classifies it as historic in the database, which allows you to delete a protected process that is no longer tied to a rule. |
| CYV-8561 | Fixed an issue on machines running both Traps and McAfee Solidcore where running the cytool runtime stop command to disable protection when service protection is enabled caused computers to display a fatal system error if Traps failed to load cyinjct.X files. |
| CYV-8331 | Fixed an issue where specifying a network path that included wildcards in the Child Process Whitelist caused slowness in the agent response time. |
| CYV-8276 | Fixed an issue with the regex mechanism that caused irrelevant matches when you configured a condition to match on softwareVersion. |
| CYV-8200 | Fixed an issue where executables with invalid metadata corrupted the local cache file, which caused Traps to delete the full verdict history after a restart. With this fix, when metadata is invalid, Traps writes it to cache as N/A. |
| CYV-8115 | Fixed an issue where exporting one or more security events to a comma-separated file (CSV) resulted in a corrupt file. |
| CYV-7956 | Fixed an issue that prevented Traps from decrypting a license when it was issued to a machine that used Turkish regional settings but included English characters in its name. |
| CYV-7921 | Fixed an issue that caused the ESM Server to report an incorrect error message in the server logs when the SQL server was unreachable. |
| CYV-7664 | Fixed an issue on machines running both Traps and McAfee Solidcore that caused the command process (cmd.exe) to stop responding after an injection failure. |
For Traps 3.3 Release Information or the full release notes, please visit https://www.paloaltonetworks.com/documentation/33/endpoint/endpoint-release-notes/traps-3-3-release-information.