1. No category

Traps™ 3.4 Release Notes

 Traps™ 3.4 Release Notes
Release 3.4.4
Revision Date: April 6, 2017
Palo Alto Networks Traps is a full, preemptive solution that protects workstations, servers, and VDI from a wide threat landscape. The Traps protection software is effective in blocking the most threatening attack vectors, enabling live‐prevention of malicious file executions based on the WildFire threat intelligence database, restricting the execution of unreliable files from external sources, and preventing attacks based on known or obfuscated exploits.
Review important information about the Traps 3.4 release including new features introduced in this release, workarounds for open issues, and resolved issues. For the latest version of these release notes, refer to the Palo Alto Networks Traps 3.4 technical documentation portal.
Traps 3.4 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in Traps 3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Features Introduced in Traps 3.4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Features Introduced in Traps 3.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Features Introduced in Traps 3.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Features Introduced in Traps 3.4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Changes to Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changes to Default Behavior in 3.4.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changes to Default Behavior in 3.4.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changes to Default Behavior in 3.4.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changes to Default Behavior in 3.4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Associated Software Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Incompatible Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Incompatible Security Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Traps 3.4.4 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Traps 3.4.3 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Traps 3.4.2 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Traps 3.4.1 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 1
Table of Contents
Traps 3.4.0 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Getting Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Requesting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
For the most up‐to‐date information, refer to the online version of the Traps 3.4 Release Notes on the Technical Documentation portal.

Features Introduced in Traps 3.4

Changes to Default Behavior

Upgrade/Downgrade Considerations

Associated Software Versions

Limitations

Known Issues

Traps 3.4.4 Addressed Issues

Traps 3.4.3 Addressed Issues

Traps 3.4.2 Addressed Issues

Traps 3.4.1 Addressed Issues

Traps 3.4.0 Addressed Issues

Getting Help
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 3
Features Introduced in Traps 3.4
Traps 3.4 Release Information
Features Introduced in Traps 3.4

Features Introduced in Traps 3.4.3

Features Introduced in Traps 3.4.2

Features Introduced in Traps 3.4.1

Features Introduced in Traps 3.4.0
Features Introduced in Traps 3.4.3
The following table describes features released in Traps 3.4.3.
New Feature
Description
Hash Identification of
Portable Executables
You can now use Cytool to identify hash information about files inside of DLLs, drivers, and other portable executable (PE) files. For each file, Cytool displays the path, file size in bytes, and file hash using SHA256 encoding. For PEs, Cytool also displays information about the target PE inside the file including file size, architecture type (i386 or x64), platform (for example, Win32 GUI, Win32 Console, or NT native), and hash value. After you identify the hash associated with the target file, you can manage Hash Control from the ESM Console or you can add the hash to an SFX whitelist in the database. Features Introduced in Traps 3.4.2
The following table describes features released in Traps 3.4.2.
New Feature
Description
Extend OS Support for
Traps
You can now install Traps agent on Windows Server 2016 Standard (Server with Desktop Experience). For more information, see Traps in the Palo Alto Networks® Compatibility Matrix. Features Introduced in Traps 3.4.1
The following table describes features released in Traps 3.4.1.
New Feature
Description
External Log Forwarding You can now configure the ESM to forward logs about post‐detection events to an of Post-Detection Events external logging server or email. This enables you to receive notifications for each endpoint on which the file executed. Traps VDI Tool CLI
To automate the process of setting up Traps in your VDI environment, you can now use a command‐line interface (CLI) version of the Traps VDI Tool. 4 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
New Feature
Features Introduced in Traps 3.4 Description
Traps VDI Tool Grayware When you use the Traps VDI Tool to create the WildFire cache of hashes and associated Support
verdicts, you can now decide whether to write grayware verdicts to the cache. By default, the tool automatically writes any grayware to the cache. Features Introduced in Traps 3.4.0
The following table describes features released in Traps 3.4.0.
New Feature
Description
Local Analysis of
Unknown Executable
Files
By default, Traps now uses local analysis to examine hundreds of characteristics associated with an unknown executable file to determine if the file is likely to be malware. Local analysis uses a statistical model that was developed using machine learning on WildFire threat intelligence. With this feature, Traps quickly analyzes and assigns a local verdict (malicious or benign) to an unknown executable file when the endpoint is offline or while waiting for the official verdict from WildFire. Traps continues to use the local verdict to block or allow the execution of the unknown executable file until the agent receives an updated verdict from the ESM Server. Content Updates
To enable you to more easily manage content updates, you can now view information about current or previous content updates from a dedicated Content Updates page in the ESM Console. From this new page, you can also revert to previous content update releases. Additionally, content updates can now include changes to the list of trusted signers and to the local analysis module.
Trusted Signers
To ensure Traps never prevents legitimate files from executing on the endpoint, Traps now evaluates whether files are signed by a trusted signer. The list of trusted signers is based on the official trusted signer list in WildFire. Therefore, executable files that are signed by trusted signers are exempt from additional analysis and verdict evaluation. This feature is useful in situations where unknown executable files, such as new software updates for the operating system or for applications, are signed by a trusted signer but have not, yet, been analyzed by WildFire.
Malware Remediation
You can now enable Traps to transparently quarantine malicious executable files on endpoints. To determine if an executable file is malicious and should be quarantined, Traps uses information from the following sources: WildFire threat intelligence, local analysis, and hash control policy. When malware is identified, Traps notifies the user about the quarantined file (if you enabled user alerts), removes the malware from the local folder or removable hard‐drive, and stores the file in a local quarantine folder. With this feature, you can also restore a quarantined file to its original location.
Grayware Verdict
Support
Traps now supports the use of grayware verdicts—verdicts that identify executable files that behave similarly to malware but that are not malicious—in security policies. The grayware verdict allows you to quickly distinguish malicious files on the endpoint from grayware and to determine whether Traps treats these files as malicious or benign. The ESM Console now includes the grayware verdict in logs to help you assess the threat level of grayware events.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 5
Features Introduced in Traps 3.4
Traps 3.4 Release Information
New Feature
Description
ESM Tech Support File
To aid Technical Support in troubleshooting and diagnosing issues, you can now generate an ESM tech support file on demand. This file contains important information about your effective (active) security policy, your ESM Console and ESM Server settings and logs, and additional useful data from the database. The ESM Console aggregates and packages these logs into a ZIP file that you can then download and attach to a support case when needed.
Proxy Communication
Support
You can now configure a proxy server for proxied communication between the Endpoint Security Manager (ESM) components and WildFire. This can be useful in ESM deployments that do not require direct access to the internet and are required to send traffic through a proxy server. The ESM supports both authenticated and unauthenticated proxy settings. You can also configure dedicated proxy servers for use by the ESM Console or by specific ESM Servers.
Extended OS Support
You can now install Traps on endpoints running Windows Embedded 7 (Standard and POSReady), Windows Embedded 8.1 Pro, and Windows 10 Enterprise LTSB. For more information, see Traps Software Requirements.
6 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
Changes to Default Behavior Changes to Default Behavior

Changes to Default Behavior in 3.4.3

Changes to Default Behavior in 3.4.2

Changes to Default Behavior in 3.4.1

Changes to Default Behavior in 3.4.0
Changes to Default Behavior in 3.4.3

On the Hash Control page, the ESM Console now changes the Upload Status of a file to Succeeded after it successfully sends the file to WildFire. Previously, the ESM Console would change the Upload Status of a file to Succeeded only after it obtained the verdict. Changes to Default Behavior in 3.4.2


To reduce memory consumption on CyveraService.exe, Traps no longer listens for crash events for this service and does not send process crash reports to the ESM Server. As a result, the ESM Console no longer displays process crashes on the Security Events pages. Note that crash events will continue to be written to the Windows Event Log and you can collect them by clicking Send Support File from the Traps console.
Security events for the DLL‐Hijacking Protection exploit protection module are now displayed in the Threats instead of in Provisional Mode.
Changes to Default Behavior in 3.4.1
Traps 3.4.1 includes the following changes to default behavior:


For compatibility reasons, the JIT Mitigation and ROP Mitigation modules are now disabled when McAfee VirusScan 8.8 is installed.
The content update package and Content Updates page on the ESM Console no longer include the Release Notes link. To view the Release Notes for your Traps content update version, you must go to the Support Site > Dynamic Updates. Changes to Default Behavior in 3.4.0
Traps 3.4.0 includes the following changes to default behavior:

The ESM Server now supports up to 16,000 agents. In multi‐ESM deployments, you can deploy a maximum of five ESM Servers to support a total of 80,000 agents.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 7
Changes to Default Behavior






Traps 3.4 Release Information
To improve the accuracy of the default security policy, exploit protection rules are no longer applied to all protected processes. Instead, the exploit protection rules now apply only to specific and relevant processes. Because Traps evaluates process‐specific rules prior to rules that apply to all protected processes, the default security policy can override user‐defined rules if they apply to all protected processes. To ensure that default policy rules do not override user‐defined rules, you must edit the rule to apply to specific processes.
To improve the user experience, some exploit protection modules (EPMs) that produce excessive notifications in notification mode now support only prevention mode. Now, instead of notifying the user multiple times about an event, Traps immediately prevents the exploit and reports the prevention event. This change affects the following EPMs:
– Exception Heap Spray Check
– Memory Limit Heap Spray Check
– SEH Protection
To simplify the configuration of user‐defined exploit protection rules, some options and configurable values that are redundant or that are not used by the agent have been deprecated or are no longer configurable from the ESM Console. The EPMs and options that are affected by these changes are as follows:
– CPL Protection, DLL‐Hijacking Protection, and Hot Patch Protection EPMs—The Deferred value is now deprecated. – JIT Mitigation and ROP Mitigation EPMs—The Stackwalk and Add Functions options can no longer be configured from the ESM Console. The values for these options are now included with the default policy.
– DEP EPM—To reduce redundancy, the SEH Check option is now deprecated and the Stackwalk option is no longer configurable from the ESM Console.
– DLL Security EPM—The Optimize option is now deprecated.
– Null Dereference Protection EPM—The Page Size option is no longer configurable from the ESM Console.
– Memory Limit Heap Spray Check EPM—The Action and Interval options are no longer configurable from the ESM Console.
– SEH Protection EPM—The Ignore OS and Aggressive options are now deprecated.
– SysExit EPM—The Stub Size option is no longer configurable from the ESM Console.
– UASLR EPM—The Move Dynamic option is no longer configurable from the ESM Console. In addition, the Max Attempts option is now renamed to Override OS randomization. When the value for this option is set to Off, the value is 0.
To fine‐tune and simplify the exploit protection policy, the following EPMs are now deprecated and removed from the ESM Console:
– Master SEH
– Master VEH
– Periodic Heap Spray Check
– Random Preallocation
– T01 Compatibility
– Heap Corruption Mitigation
– GSCookie
The Generic EPM is no longer configurable using the ESM Console. The settings for this module are now included with the default policy.
To fine‐tune and simplify the exploit protection policy, the Packed DLLs EPM is now removed from the ESM Console and its behavior is now configurable with the DLL Security EPM.
8 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information








Changes to Default Behavior When you configure a Java restriction rule, you can now configure only the browsers and corresponding whitelisted Java processes. The Java restrictions for files and registry settings that were available in previous releases have now been deprecated.
The ability to define groups for administrative access using the DB Configuration Tool is now deprecated. Instead, to define administrative access for a group defined in Active Directory (if domain authentication is in use) or in Local Users and Groups (if machine authentication is in use), you must log in to the ESM Console.
To install Traps on Windows 8 and later releases or Windows Server 2012 and later releases, you no longer need to install Microsoft .NET Framework 3.5.1. Instead, the Traps installation now requires the default enabled .NET Framework of the OS (.NET Framework version 4.5 or later). However, on Windows 7 and Windows Server 2008 and earlier releases, Traps continues to require .NET Framework 3.5.1. For a list of requirements, see Traps Software Requirements.
SQLite is no longer supported. Instead, you must use SQL Server Express, SQL Server Enterprise, or SQL Server Standard. For more information, see Database Software Requirements.
The Benign/Malware Verdict Recheck Interval (Minutes) has been renamed to Known Verdict Recheck Interval
(Minutes) and now includes queries on grayware.
The default action for the WildFire policy has changed from Learning to Prevention. As a result, Traps automatically blocks all malware instead of only silently logging when users open malware.
The Allow and Block buttons on the Hash Control page are superseded by the Treat as Benign and Treat as
Malware options, which are available on the actions menu or on the additional details view for each hash record.
Because Traps can now identify malware using a layered process of evaluation, (such as local analysis, trusted signers, or by grayware policy), it is no longer possible to predict the effective action for the executable file. For example, if grayware is not treated as malware, but a restriction rule blocks the executable file, the action for the hash could be allow while the end result would be block. As a result, the Verdict tab on the Traps console—which did not take into account other layers in the evaluation process—was removed.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 9
Associated Software Versions
Traps 3.4 Release Information
Associated Software Versions
The following minimum software versions are supported with Traps 3.4 components.
Software
Minimum Supported Version with Traps 3.4
ESM Server
3.4
ESM Console
3.4
Traps
3.2
Content Version for ESM Console 3.4.4
13
Content Version for ESM Console 3.4.3
10
Content Version for ESM Console 3.4.2
9
Content Version for ESM Console 3.4.1
7
Content Version for ESM Console 3.4.0
5
10 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
Limitations Limitations
This section describes the limitations to the Traps 3.4 software.

Incompatible Operating Systems

Incompatible Security Products
Incompatible Operating Systems
For information on supported operating systems, see the Traps topic in the Palo Alto Networks® Compatibility Matrix.
Incompatible Security Products
The following table shows incompatibility configurations with security products.
Security Product
Description
Implications and Required Actions
Antivirus engines (such
as Avira and AVG)
Because Palo Alto Networks Traps components are detected by antivirus engines, some antivirus engines may falsely recognize Traps components as a threat.
If a Traps component is suspected as a threat, we recommend excluding the component in the product's management tools. If required, please contact Support.
Bitdefender Total
Security
When Traps is installed on Windows 7 and Windows 8 64‐bit systems, installing Bitdefender causes a startup issue on the next reboot. When Bitdefender is installed, installing Traps causes Windows Explorer to crash.
Running Traps exploit protection and Bitdefender in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
BUFFERZONE
BUFFERZONE collides with the Traps injection mechanism.
Running Traps and BUFFERZONE in parallel is not supported.
Immunity Debugger
Immunity Debugger collides with the Traps injection mechanism.
Running Traps exploit protection and Immunity Debugger in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
McAfee Solidifier
Solidifier collides with the Traps injection Running Traps exploit protection and Solidifier mechanism.
in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 11
Limitations
Traps 3.4 Release Information
Security Product
Description
Implications and Required Actions
Microsoft Enhanced
Mitigation Experience
Toolkit (EMET)
Microsoft EMET collides with the Traps injection mechanism.
Running Traps exploit protection and Microsoft EMET in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
Panda Antivirus
Panda Antivirus collides with one of the Running Traps exploit protection and Panda Traps ROP Mitigation component checks. Antivirus in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
VMware ThinApp
ThinApp collides with the Traps injection Running Traps exploit protection and ThinApp mechanism.
in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
Windows Defender
Windows Defender prevents the collection of prevention data from the Traps agent.
12 • Traps 3.4 Release Notes
To enable Traps to collect data about prevention events, add the Traps prevention folder (C:\ProgramData\Cyvera\Prevention) to the folders that Windows Defender excludes from examination. © Palo Alto Networks, Inc.
Traps 3.4 Release Information
Known Issues Known Issues
The following table describes known issues with Traps 3.4.
Issue ID
Description
CYV-10101
After Traps quarantines malware, the operating system displays an error indicating that the quarantined file cannot be found. This issue occurs only when the current user does not have administrative rights on the endpoint.
CYV-10051
When a malicious executable file runs from an ISO file (such as from a CD, DVD, or BD), Traps incorrectly displays a message that indicates the file is in use instead of displaying a message that indicates the ISO file is read‐only and cannot be quarantined.
CYV-10010
If the Event Viewer service crashes on the endpoint, the Traps reporting of process crash events and subsequent malware protection is disrupted. This is due to a dependency of CyveraService on the Event Viewer service.
Workaround: Restart the CyveraService on the endpoint to resume process crash reporting and malware protection functionality.
This issue is now resolved. See CYV‐10084 in Traps 3.4.1 Addressed Issues. This issue is now resolved. See CYV‐10084 in Traps 3.4.1 Addressed Issues.
After you enter an invalid proxy IP address and then correct the address, the ESM Console requires you to click Save twice before the new settings take effect. If you click Save only once and later return to the page, the ESM Console reverts to the previous saved setting.
Workaround: Click Save twice after saving the valid proxy configuration.
CYV-9948
On endpoints whose hostnames contain Turkish characters, the Traps agent fails to upload files and logs using BITS.
CYV-9967
This issue is now resolved. See CYV‐10076 in Traps 3.4.1 Addressed Issues. CYV-9930
The DB Configuration Tool allows you to save a user who is not a local administrator on the ESM Console server because it does not validate administrative users. Workaround: Validate that users are administrators on the ESM Console server before adding them as administrative accounts using the DB Configuration Tool.
CYV-9858
The ESM Console truncates usernames that contain more than 20 characters. Workaround: Users with usernames that contain more than 20 characters must log in to the ESM Console using only the first 20 characters.
CYV-9790
When Service Protection is enabled and an administrator uninstalls Traps on the endpoint, some files remain in the ProgramData\cyvera folder. In some environments, these files are owned by SYSTEM and cannot be removed by the administrative user.
Workaround: Log off and log back in before attempting to delete these files.
CYV-9762
To create a rule for network folder restriction, the ESM Console requires you to define a network folder whitelist before it permits you to save the rule.
CYV-9751
In an environment where a secondary ESM Console is installed on an ESM Server, the ESM Server inherits the proxy settings from the secondary console.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 13
Known Issues
Traps 3.4 Release Information
Issue ID
Description
CYV-9723
On Windows XP endpoints, when you click Send Support File from the Traps console, the agent fails to collect logs from the event viewer and instead sends only a partial collection of logs.
CYV-9705
When you configure rules to use target objects that use the Windows User logon
name in UPN format ([email protected]), the ESM Console omits these objects and displays only sAMAccount names. Workaround: To apply a rule to a target object with a UPN account name, specify the full Active Directory distinguished name.
CYV-9621
The BitsUpload manager fails to upload malware with a filename that contains the right‐to‐left override (RLO) character.
CYV-9595
When you install Traps on a terminal server that is accessed by multiple users, user‐specific rules do not work as expected. For example, in some cases, Traps fails to apply user‐specific rules to the affected user. In other cases, Traps applies user‐specific rules to all users on the terminal server.
CYV-9585
Attempting to restore a file before Traps finishes retrieving relevant memory dumps causes delays in restoring the file to the original location.
CYV-9538
When you attempt to generate an ESM tech support file in an environment with two ESM Consoles, the ESM Console fails to retrieve the logs from the secondary console and does not display an error indicating the reason for the failure.
CYV-9468
When you use Cytool to stop all runtime services, Cytool stops all runtime services except for the Traps Dump Analyzer Service.
Workaround: Use alternate methods, such as the Windows Services Console, to stop the Traps Dump Analyzer Service.
CYV-9368
Traps fails to enforce local folder restrictions on endpoints that use the Japanese language version.
CYV-9360
In an ESM deployment with multiple ESM Servers, after removing a server from the domain, the ESM Console does not update the Internal Address and continues to show the in‐domain address.
Workaround: From the ESM Console (Settings > ESM > Multi ESM), manually update the internal address of the ESM Server.
CYV-9355
Because older versions of Traps did not support a grayware verdict, executable files received a benign verdict and were permitted to run. After upgrading to Traps 3.4, the local cache retains the benign verdict for any grayware that previously ran on the endpoint. As a result, subsequent attempts to run grayware that ran previously are permitted.
CYV-9350
On some endpoints, the CPU spikes when the Traps console is open.
CYV-9284
The first time a user opens an executable file that is larger than 50MB (such as an installer), the launch time increases due to the evaluation of trusted signers.
CYV-9215
When an exploit event occurs, some EPMs configured in Notification mode can cause Traps to display multiple notification messages about the event.
CYV-9178
After successfully installing the ESM Server or ESM Console software, the installer inconsistently logs the completion status of the installation.
14 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
Known Issues Issue ID
Description
CYV-9024
When a UASLR prevention event occurs for a process in a hidden system folder, Traps neglects to provide any notification, collect forensic data, or log the event. When a UASLR prevention event occurs on a process that is not in a protected system folder, notifications, logging, and data collection all work as expected.
CYV-9015
In an environment with multiple ESM Servers, changing settings in Active Directory can cause inconsistencies in policies between ESM Servers.
This issue is now resolved. See CYV‐9015 in Traps 3.4.1 Addressed Issues. CYV-9007
When you generate an ESM Tech Support file and the ESM Console and the ESM Server are installed on the same device while service protection is enabled, some data cannot be retrieved. This is because service protection blocks access to specific folders.
CYV-8959
When you change the state of a machine from workstation to virtual desktop infrastructure (VDI), Traps continues to use a license from the workstation license pool instead of obtaining a floating VDI license.
CYV-8923
If you configure an exploit protection rule that uses the DLL Security EPM, the Flash player crashes on 64‐bit Firefox.
CYV-8834
When you upgrade .NET Framework in preparation for upgrading Traps and then remove the older .NET Framework version, the Traps upgrade fails.
Workaround: To avoid uninstall and upgrade issues, do not remove the older version of .NET Framework before upgrading to this version of Traps.
CYV-8732
When you apply an action rule to an organizational unit and specify a group of machines as belonging to the organizational unit, endpoints in that group do not receive the agent rule.
CYV-5632
When adding a large number of processes as provisional processes, the policy file size increases and causes issues in transferring the policy XML files to the agents. As a result, the security policy can become out‐of‐date and the ESM Console can display the status of the agent running on the endpoint as disconnected.
CYV-5061
When the Thread Injection malware protection module is enabled, installing Microsoft .NET Framework 4.5.2 raises a thread injection prevention event.
Workaround: To permit the user to install Microsoft .NET Framework 4.5.2, create a Thread Injection rule that whitelists setup.exe injection to svchost.exe. To narrow the scope of the rule, enforce conditions that target only the affected endpoints.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 15
Known Issues
16 • Traps 3.4 Release Notes
Traps 3.4 Release Information
© Palo Alto Networks, Inc.
Traps 3.4.4 Addressed Issues
The following table lists the issues that are fixed in the Traps™ 3.4.4 release. For new features introduced in Traps 3.4, as well as known issues and limitations, see Traps 3.4 Release Information.
Issue Identifier
Description
CYV-11900
Fixed an issue where not all licenses were revoked as expected, which resulted in some endpoints reserving more than one license from the pool.
CYV-11896
Fixed an issue with the Traps mini‐filter driver (cyvrfsfd) that caused the driver to trigger a memory corruption bug in Windows virtualized environments.
CYV-11888
Upgraded the default policy to Content Update CU‐13.
CYV-11850
Fixed an issue with a VDI endpoint that experienced an unexpectedly high CPU load when processing multiple prevention events in parallel. With this fix, the CPU load remains steady when experiencing multiple parallel prevention events.
CYV-11832
Fixed an issue on an RDS running multiple sessions that prevented applications from starting.
CYV-11547
A security‐related fix was made to prevent unauthenticated license revocation on active endpoints. With this fix, the ESM ignores revocation requests from agents and frees the license from each endpoint that is disconnected for a period of time—default is 7 days (CVE‐2017‐7408).
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 17
Traps 3.4.4 Addressed Issues
18 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4.3 Addressed Issues
The following table lists the issues that are fixed in the Traps™ 3.4.3 release. For new features introduced in Traps 3.4, as well as known issues and limitations, see Traps 3.4 Release Information. Issue Identifier
Description
CYV-10987
Fixed an issue where the ESM Console did not display Prevention and Post Detection events in the agent logs. With this fix, the ESM Console correctly displays these events in the agent logs.
CYV-10921
Fixed a compatibility issue where exploit protection modules (EPMs) could not run when McAfee Buffer Overflow Protection was enabled in McAfee VirusScan. With this fix, EPMs are now compatible with McAfee VirusScan 8.8.
CYV-10907
Fixed an issue where sorting the hashes by Quarantine didn't work properly. With this fix, the ESM console correctly sorts the hashes.
CYV-10824
Fixed an issue where ChkDsk—a Windows system tool which verifies and resolves any logical errors with the file system—encountered issues when Traps was installed. With this fix, ChkDsk can now run when Traps 3.4.3 is installed on the endpoint.
CYV-10776
Fixed an issue where trusted signer evaluation caused delays in starting the Traps service. With this fix, the Traps service is no longer dependent on trusted signer evaluation.
CYV-10723
Fixed an issue where the ESM Console did not require you to specify a Forensic Folder and permitted you to save the configuration with a blank entry. When this occurred, the ESM Server encountered errors trying to retrieve forensic data from Traps agents. With this fix, the ESM Console now requires you to specify a Forensic Folder and displays an error message when the field is empty.
CYV-10662
Fixed an issue where the ESM Console changed the Upload Status of a hash to Succeeded only after it obtained the verdict. With this fix, the ESM Console changes the Upload Status to Succeeded after it successfully sends the file to WildFire. The ESM Console assigns a verdict of Unknown until it receives the official WildFire verdict. CYV-10554
Fixed an issue with external log forwarding which caused the ESM to log a Communications Check With Proxy event each time you changed an ESM setting. With this fix, the ESM now logs a Communications Check With Proxy event only when you change proxy settings. © Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 19
Traps 3.4.3 Addressed Issues
20 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4.2 Addressed Issues
The following table lists the issues that are fixed in the Traps™ 3.4.2 release. For new features introduced in Traps 3.4, as well as known issues and limitations, see Traps 3.4 Release Information. Issue Identifier
Description
CYV-10645
Fixed an issue on endpoints with multiple processors that resulted in a system failure and a CLOCK_WATCHDOG_TIMEOUT error. With this fix, this scenario no longer produces a system failure with this error.
CYV-10627
Fixed an issue with child process restrictions that prevented WebEx from starting a meeting in a Chrome browser. To fix this issue, you must contact Support to obtain the rules that allow WebEx to run in Chrome.
CYV-10569
Fixed an issue that caused installation to fail when you upgrade from 3.3.3 to 3.4.1 and the database contained duplicate keys in the client processes table. With this fix, the database migration process was updated to address client process key duplicates to enable and complete installation successfully. CYV-10564
Fixed an issue where the agent would not retrieve a rule when the rule applied to user objects that use a different pre and post Windows 2000 logon name in Active Directory. With this fix, Traps identifies the user object using only the sAMAccountName to determine when a rule is applicable.
CYV-10549
Fixed an issue with external log forwarding of LEEF events where the events did not include the devTimeFormat (for example, MMM dd yyyy HH:mm:ss). With this fix, all LEEF events now include the devTimeFormat in addition to the devTime.
CYV-10547
Fixed an issue where the ESM Console displayed ESM Server logs on the Monitor > Agent
> Logs page and agent logs on the Monitor > ESM > Logs page. With this fix, the ESM Console now correctly displays the logs on each page according to the log type. CYV-10546
Fixed an issue where the ESM Server periodically checked for a verdict from WildFire for files that were larger than the maximum permitted sample size of 100MB. With this fix, the ESM Server no longer attempts to retrieve verdict for files that are greater than 100MB in size.
CYV-10537
Fixed an issue where the ESM Console did not display a notification when the ESM Server version did not match the ESM Console version. With this fix, when the versions do not match, the ESM Console now displays an error indicating the mismatch version issue. To avoid this error message, verify that the ESM components run the same version before attempting to log in to the ESM Console. CYV-10536
Fixed an issue with external log forwarding where a Post Detection Event excluded the agent version. CYV-10533
Fixed an issue where the agent excluded Event Trace Logs from the support file that Traps generates when you either click Send Support File from the Traps console or configure an action rule to collect logs from the ESM Console. With this fix, when you enable the collection of Event Trace Logs by using the cytool log start command, Traps includes the logs with the support file it sends to the ESM.
CYV-10517
Fixed an issue with a default compatibility rule for Digital Guardian which overwrote the value of longHooks upon upgrade. With this fix, upgrading the ESM to 3.4.2 no longer overwrites the value in the compatibility rule. © Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 21
Traps 3.4.2 Addressed Issues
Issue Identifier
Description
CYV-10459
Fixed an issue that caused heavy load on the domain controller due to a high volume of Active Directory queries from many agents on each heartbeat.
CYV-10442
Fixed an issue that caused the ESM Console to display security events related to unknown executable files under Threats instead of Provisional Mode. With this fix, the ESM Console correctly displays these events—which are categorized as type WildFireUnknown—in Provisional Mode. CYV-10423
Fixed an upgrade issue where the upgrade fails during rule migration when a rule contains both protected and provisional processes and one or more conditions. With this fix, upon upgrade, the ESM Console splits rules into two—one for the protected processes and one for provisional processes—and applies the condition to both. CYV-10419
Fixed an issue where the DB Configuration Tool did not allow you to modify the authentication mode used by the ESM Console. With this fix, you can now modify the setting to either Domain or Machine authentication. CYV-10407
Fixed an upgrade issue where Local Analysis is disabled in WildFire rules when you upgrade from an older version that did not support Local Analysis. With this fix, Local Analysis is now enabled when the WildFire rule is enabled.
CYV-10405
Fixed an installation issue which permitted the ESM install to continue when you entered an incorrect domain name in the database settings. With this fix, the installer now validates the domain before continuing. CYV-10396
Fixed an issue where the ESM Console prematurely updated the status of an action rule to upload data to Succeeded before the action completed. With this fix, the ESM Console updates the status only when it receives an updated completion status from the agent.
CYV-10083
Fixed an issue on the Hash Control page where executable files that do not have an official WildFire verdict but are signed by a trusted signer provide no indication that the file was trusted on the endpoint. With this fix, the Local Analysis field now displays a Trusted status when the executable was signed by a trusted signer. 22 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4.1 Addressed Issues
The following table lists the issues that are fixed in the Traps™ 3.4.1 release. For new features introduced in Traps 3.4, as well as known issues and limitations, see Traps 3.4 Release Information.
Issue Identifier
Description
CYV-10463
Fixed an issue with local analysis that caused high CPU usage on XenDesktop clients.
CYV-10449
Fixed an issue with Active Directory (AD) queries which resulted in a heavy load on the AD server. With this fix, queries are now optimized to improve performance. CYV-10388
Fixed an issue with content updates where the ESM Console displayed an invalid link for the Update Site. With this fix, the link is now labeled Support Site and points to the site where the content updates are hosted.
CYV-10383
Fixed a number of issues with external log forwarding to address format inconsistencies. Also added the IP address of the ESM Server or endpoint to relevant events. CYV-10328
Fixed an issue where after upgrading the ESM Server, agents running earlier versions of Traps did not receive an updated policy unless you created or edited a user rule after the upgrade. CYV-10327
Fixed an issue that prevented you from disabling the Traps Dump Analyzer service when service protection was enabled. CYV-10320
Fixed an issue on Windows 10 endpoints where users experienced issues with Traps injection for several applications including rundll32 and custom applications that utilize cmd.exe. CYV-10307
Fixed an issue where Traps prematurely reported a local analysis failure before the Traps Local Analysis service was operational. With this fix, Traps now waits until the Traps Local Analysis service is fully operational before reporting any errors.
CYV-10294
Fixed an issue encountered during the ESM Server and ESM Console installation where the installer omitted SQL Server 2016 as a valid database type. CYV-10290
Fixed an issue that prevented the Traps Local Analysis service from restarting after a failure to start or a system error occurred. With this fix, the Traps Local Analysis service automatically restarts the service after encountering an error or failing to start. CYV-10284
Fixed an ESM Server upgrade issue where a duplicate entry in the ProcessHashes table resulted in an upgrade failure when upgrading to version 3.4.0. With this fix, any duplicate entries are removed during the upgrade process thus allowing the upgrade to complete successfully. CYV-10270
Fixed an issue with the quarantine feature where you could not restore executable files on Windows Live File systems that use Universal Disk Format (UDF). With this fix, you can now restore executable files as expected. CYV-10234
Fixed a compatibility issue with SearchInform, that occurred when Traps and SearchInform were installed in parallel. With this fix, processes no longer produce errors when SearchInform and Traps are installed on the same endpoint. CYV-10224
Fixed an issue that caused the endpoint to become unresponsive when multiple Traps console processes on the agent were executed simultaneously. With this fix, the Traps process notification mechanism was updated to handle additional console processes.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 23
Traps 3.4.1 Addressed Issues
Issue Identifier
Description
CYV-10121
Fixed an compatibility issue with Traps and Trend Micro™ Office Scan™ 11.xx where Office Scan collided with the Traps injection mechanism. With this fix, you can now run Traps exploit protection and Office Scan in parallel.
CYV-10087
Fixed an issue with manually added processes whose names contained extensions other than .exe (for example, process.scr) which caused Traps to write the process name to the registry with a .exe extension (for example, process.scr.exe). With this fix, you can now manually add process names with extensions other than .exe. In addition, the ESM Console now displays a notification when you enter a process name with a non‐exe extension. CYV-10084
Fixed an issue that caused the CyveraService to halt abruptly after the Windows Event Viewer service restarted. With this fix, the dependency of the CyveraService on the Event Viewer service was removed. CYV-10076
Fixed an issue on endpoints whose hostnames contain Turkish characters, where the Traps agent failed to upload files and logs using BITS. With this fix, the Traps agent uploads files and logs from endpoints whose hostnames contain Turkish characters as expected. CYV-9967
Fixed an issue that where the ESM Console required you to save settings twice for those settings to take effect. With this fix, you are only required to click Save once before the new settings take effect. CYV-9883
Fixed an issue with one‐time action rules to Erase memory dumps where Traps deleted the .dmp files but ignored .dmp.report files. With this fix, the agent also deletes the .dmp.report files when it receives the action rule to delete the parent memory dump. CYV-9840
Fixed an issue where the ESM Console did not display deleted endpoints in Agent > Health when you applied the Historic filter. CYV-9839
Fixed an issue where stopping and starting the Traps service during the execution of a one‐time action rule configured to retrieve logs and data from the endpoint fails to resume after the restart. With this fix, any in‐progress BITS jobs resume after the Traps service restarts. CYV-9561
Fixed an issue that delayed the calculation of hashes (up to 8 seconds for executable files of size 50MB) which was caused by network slowness. With this fix, Traps uses a new algorithm to calculate the hash. The new algorithm reduces the time to calculate the hash thus improving the user experience. CYV-9015
Fixed an issue in environments with multiple ESM Servers where changing settings in Active Directory caused inconsistencies in policies between ESM Servers.
CYV-8696
Fixed an upgrade issue with the ESM Server caused by an invalid connection to the database during the database migration step. With this fix, the installer now provides additional validation during the upgrade and provides more detailed logs to aid in troubleshooting. CYV-8182
Fixed an ESM Server and ESM Console installation issue with the database configuration to clarify the account name required for authentication with the database. With this fix, the account field now specifies the Domain\user is required for Windows Authentication. CYV-7418
Fixed an issue that permitted Traps to submit files which exceeded the configured maximum file size for WildFire analysis. With this fix, Traps now adheres to the maximum file size and the Hash Control page displays the Upload Status as Upload limit exceeded when the file size exceeds the configured maximum. 24 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4.0 Addressed Issues
The following table lists the issues that are fixed in the Traps™ 3.4 release. For new features introduced in Traps 3.4, as well as known issues and limitations, see Traps 3.4 Release Information. Issue Identifier
Description
CYV-2332
Fixed an issue where Java registry and Java file system restriction rules failed to block Java processes and applets from accessing the matching registry or file system path.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 25
Traps 3.4.0 Addressed Issues
26 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Getting Help
The following topics provide information on where to find out more about our products and how to request support:

Related Documentation

Requesting Support
Related Documentation
Refer to the following Traps 3.4 documentation on the Technical Documentation portal or search the documentation for more information on our products. For information on the additional capabilities and for instructions on configuring Traps features, refer to the Traps Administrator’s Guide, Version 3.4.
Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
To provide feedback on the documentation, please write to us at: [email protected].
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact‐support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Revision Date: April 6, 2017
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 27

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz