Traps™ 3.4.1 Release Notes
Revision Date: October 20, 2016
Palo Alto Networks Traps is a full, preemptive solution that protects workstations, servers, and VDI from a wide threat landscape. The Traps protection software is effective in blocking the most threatening attack vectors, enabling live‐prevention of malicious file executions based on the WildFire threat intelligence database, restricting the execution of unreliable files from external sources, and preventing attacks based on known or obfuscated exploits.
Review important information about the Traps 3.4 release including new features introduced in this release, workarounds for open issues, and resolved issues. For the latest version of these release notes, refer to the Palo Alto Networks Traps 3.4 technical documentation portal.
Traps 3.4 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in Traps 3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Features Introduced in Traps 3.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Features Introduced in Traps 3.4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Changes to Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Changes to Default Behavior in 3.4.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Changes to Default Behavior in 3.4.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Associated Software Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Incompatible Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Incompatible Security Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Traps 3.4.1 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Traps 3.4.0 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 1
Table of Contents
2 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
For the most up‐to‐date information, refer to the online version of the Traps 3.4 Release Notes on the Technical Documentation portal.

Features Introduced in Traps 3.4

Changes to Default Behavior

Upgrade/Downgrade Considerations

Associated Software Versions

Limitations

Known Issues

Traps 3.4.1 Addressed Issues

Traps 3.4.0 Addressed Issues

Getting Help
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 3
Features Introduced in Traps 3.4
Traps 3.4 Release Information
Features Introduced in Traps 3.4

Features Introduced in Traps 3.4.1

Features Introduced in Traps 3.4.0
Features Introduced in Traps 3.4.1
The following table describes features released in Traps 3.4.1.
New Feature
Description
External Log Forwarding of Post‐Detection Events
You can now configure the ESM to forward logs about post‐detection events to an external logging server or email. This enables you to receive notifications for each endpoint on which the file executed. Traps VDI Tool CLI
To automate the process of setting up Traps in your VDI environment, you can now use a command‐line interface (CLI) version of the Traps VDI Tool. Traps VDI Tool Grayware When you use the Traps VDI Tool to create the WildFire cache of hashes and associated Support
verdicts, you can now decide whether to write grayware verdicts to the cache. By default, the tool automatically writes any grayware to the cache. Features Introduced in Traps 3.4.0
The following table describes features released in Traps 3.4.0.
New Feature
Description
Local Analysis of Unknown By default, Traps now uses local analysis to examine hundreds of characteristics Executable Files
associated with an unknown executable file to determine if the file is likely to be malware. Local analysis uses a statistical model that was developed using machine learning on WildFire threat intelligence. With this feature, Traps quickly analyzes and assigns a local verdict (malicious or benign) to an unknown executable file when the endpoint is offline or while waiting for the official verdict from WildFire. Traps continues to use the local verdict to block or allow the execution of the unknown executable file until the agent receives an updated verdict from the ESM Server. Content Updates
To enable you to more easily manage content updates, you can now view information about current or previous content updates from a dedicated Content Updates page in the ESM Console. From this new page, you can also revert to previous content update releases. Additionally, content updates can now include changes to the list of trusted signers and to the local analysis module.
4 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
Features Introduced in Traps 3.4 New Feature
Description
Trusted Signers
To ensure Traps never prevents legitimate files from executing on the endpoint, Traps now evaluates whether files are signed by a trusted signer. The list of trusted signers is based on the official trusted signer list in WildFire. Therefore, executable files that are signed by trusted signers are exempt from additional analysis and verdict evaluation. This feature is useful in situations where unknown executable files, such as new software updates for the operating system or for applications, are signed by a trusted signer but have not, yet, been analyzed by WildFire.
Malware Remediation
You can now enable Traps to transparently quarantine malicious executable files on endpoints. To determine if an executable file is malicious and should be quarantined, Traps uses information from the following sources: WildFire threat intelligence, local analysis, and hash control policy. When malware is identified, Traps notifies the user about the quarantined file (if you enabled user alerts), removes the malware from the local folder or removable hard‐drive, and stores the file in a local quarantine folder. With this feature, you can also restore a quarantined file to its original location.
Grayware Verdict Support Traps now supports the use of grayware verdicts—verdicts that identify executable files that behave similarly to malware but that are not malicious—in security policies. The grayware verdict allows you to quickly distinguish malicious files on the endpoint from grayware and to determine whether Traps treats these files as malicious or benign. The ESM Console now includes the grayware verdict in logs to help you assess the threat level of grayware events.
ESM Tech Support File
To aid Technical Support in troubleshooting and diagnosing issues, you can now generate an ESM tech support file on demand. This file contains important information about your effective (active) security policy, your ESM Console and ESM Server settings and logs, and additional useful data from the database. The ESM Console aggregates and packages these logs into a ZIP file that you can then download and attach to a support case when needed.
Proxy Communication Support
You can now configure a proxy server for proxied communication between the Endpoint Security Manager (ESM) components and WildFire. This can be useful in ESM deployments that do not require direct access to the internet and are required to send traffic through a proxy server. The ESM supports both authenticated and unauthenticated proxy settings. You can also configure dedicated proxy servers for use by the ESM Console or by specific ESM Servers.
Extended OS Support
You can now install Traps on endpoints running Windows Embedded 7 (Standard and POSReady), Windows Embedded 8.1 Pro, and Windows 10 Enterprise LTSB. For more information, see Traps Software Requirements.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 5
Changes to Default Behavior
Traps 3.4 Release Information
Changes to Default Behavior

Changes to Default Behavior in 3.4.1

Changes to Default Behavior in 3.4.0
Changes to Default Behavior in 3.4.1
Traps 3.4.1 includes the following changes to default behavior:

For compatibility reasons, the JIT Mitigation and ROP Mitigation modules are now disabled when McAfee VirusScan 8.8 is installed.

The content update package and Content Updates page on the ESM Console no longer include the Release Notes link. To view the Release Notes for your Traps content update version, you must go to the Support Site > Dynamic Updates. Changes to Default Behavior in 3.4.0
Traps 3.4.0 includes the following changes to default behavior:

The ESM Server now supports up to 16,000 agents. In multi‐ESM deployments, you can deploy a maximum of five ESM Servers to support a total of 80,000 agents.

To improve the accuracy of the default security policy, exploit protection rules are no longer applied to all protected processes. Instead, the exploit protection rules now apply only to specific and relevant processes. Because Traps evaluates process‐specific rules prior to rules that apply to all protect ed processes, the default security policy can override user‐defined rules if they apply to all protected processes. To ensure that default policy rules do not override user‐defined rules, you must edit the rule to apply to specific processes.

To improve the user experience, some exploit protection modules (EPMs) that produce excessive notifications in notification mode now support only prevention mode. Now, instead of notifying the user multiple times about an event, Traps immediately prevents the exploit and reports the prevention event. This change affects the following EPMs:
– Exception Heap Spray Check
– Memory Limit Heap Spray Check
– SEH Protection

To simplify the configuration of user‐defined exploit protection rules, some options and configurable values that are redundant or that are not used by the agent have been deprecated or are no longer configurable from the ESM Console. The EPMs and options that are affected by these changes are as follows:
– CPL Protection, DLL‐Hijacking Protection, and Hot Patch Protection EPMs—The Deferred value is now deprecated. – JIT Mitigation and ROP Mitigation EPMs—The Stackwalk and Add Functions options can no longer be configured from the ESM Console. The values for these options are now included with the default policy.
6 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
–
–
–
–
–
–
–
Changes to Default Behavior DEP EPM—To reduce redundancy, the SEH Check option is now deprecated and the Stackwalk option is no longer configurable from the ESM Console.
DLL Security EPM—The Optimize option is now deprecated.
Null Dereference Protection EPM—The Page Size option is no longer configurable from the ESM Console.
Memory Limit Heap Spray Check EPM—The Action and Interval options are no longer configurable from the ESM Console.
SEH Protection EPM—The Ignore OS and Aggressive options are now deprecated.
SysExit EPM—The Stub Size option is no longer configurable from the ESM Console.
UASLR EPM—The Move Dynamic option is no longer configurable from the ESM Console. In addition, the Max Attempts option is now renamed to Override OS randomization. When the value for this option is set to Off, the value is 0.

To fine‐tune and simplify the exploit protection policy, the following EPMs are now deprecated and removed from the ESM Console:
– Master SEH
– Master VEH
– Periodic Heap Spray Check
– Random Preallocation
– T01 Compatibility
– Heap Corruption Mitigation
– GSCookie

The Generic EPM is no longer configurable using the ESM Console. The settings for this module are now included with the default policy.

To fine‐tune and simplify the exploit protection policy, the Packed DLLs EPM is now removed from the ESM Console and its behavior is now configurable with the DLL Security EPM.

When you configure a Java restriction rule, you can now configure only the browsers and corresponding whitelisted Java processes. The Java restrictions for files and registry settings that were available in previous releases have now been deprecated.

The ability to define groups for administrative access using the DB Configuration Tool is now deprecated. Instead, to define administrative access for a group defined in Active Directory (if domain authentication is in use) or in Local Users and Groups (if machine authentication is in use), you must log in to the ESM Console.

To install Traps on Windows 8 and later releases or Windows Server 2012 and later releases, you no longer need to install Microsoft .NET Framework 3.5.1. Instead, the Traps installation now requires the default enabled .NET Framework of the OS (.NET Framework version 4.5 or later). However, on Windows 7 and Windows Server 2008 and earlier releases, Traps continues to require .NET Framework 3.5.1. For a list of requirements, see Traps Software Requirements.

SQLite is no longer supported. Instead, you must use SQL Server Express, SQL Server Enterprise, or SQL Server Standard. For more information, see Database Software Requirements.

The Benign/Malware Verdict Recheck Interval (Minutes) has been renamed to Known Verdict Recheck Interval
(Minutes) and now includes queries on grayware.

The default action for the WildFire policy has changed from Learning to Prevention. As a result, Traps automatically blocks all malware instead of only silently logging when users open malware.

The Allow and Block buttons on the Hash Control page are superseded by the Treat as Benign and Treat as
Malware options, which are available on the actions menu or on the additional details view for each hash record.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 7
Changes to Default Behavior

Traps 3.4 Release Information
Because Traps can now identify malware using a layered process of evaluation, (such as local analysis, trusted signers, or by grayware policy), it is no longer possible to predict the effective action for the executable file. For example, if grayware is not treated as malware, but a restriction rule blocks the executable file, the action for the hash could be allow while the end result would be block. As a result, the Verdict tab on the Traps console—which did not take into account other layers in the evaluation process—was removed.
8 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
Associated Software Versions Associated Software Versions
The following minimum software versions are supported with Traps 3.4 components.
Software
Minimum Supported Version with Traps 3.4
ESM Server
3.4
ESM Console
3.4
Traps
3.2
Content Version for ESM Console 3.4.1
7
Content Version for ESM Console 3.4.0
5
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 9
Limitations
Traps 3.4 Release Information
Limitations
This section describes the limitations to the Traps 3.4 software.

Incompatible Operating Systems

Incompatible Security Products
Incompatible Operating Systems
The following table shows incompatibility configurations with operating systems.
Limitation
Implications and Required Actions
Traps does not support some versions of Microsoft Windows.
The following OS versions are not supported with Traps:
• Windows 2000 and below
• Windows XP SP2 and below
• Windows XP 64 bit
• Windows Server 2003 SP1 and below
• Windows Server 2003 R2 64 bit
• Windows Server Core editions
The ESM Console does not support Internet Explorer version 9.
Use Internet Explorer version 10 or later.
Incompatible Security Products
The following table shows incompatibility configurations with security products.
Security Product
Description
Implications and Required Actions
Antivirus engines (such as Avira and AVG)
Because Palo Alto Networks Traps components are detected by antivirus engines, some antivirus engines may falsely recognize Traps components as a threat.
If a Traps component is suspected as a threat, we recommend excluding the component in the product's management tools. If required, please contact Support.
Bitdefender Total Security
When Traps is installed on Windows 7 and Windows 8 64‐bit systems, installing Bitdefender causes a startup issue on the next reboot. When Bitdefender is installed, installing Traps causes Windows Explorer to crash.
Running Traps exploit protection and Bitdefender in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
BUFFERZONE
BUFFERZONE collides with the Traps injection mechanism.
Running Traps and BUFFERZONE in parallel is not supported.
10 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
Limitations Security Product
Description
McAfee Solidifier
Solidifier collides with the Traps injection Running Traps exploit protection and Solidifier mechanism.
in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
Microsoft Enhanced Mitigation Experience Toolkit (EMET)
Microsoft EMET collides with the Traps injection mechanism.
Panda Antivirus
Panda Antivirus collides with one of the Running Traps exploit protection and Panda Traps ROP Mitigation component checks. Antivirus in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
VMware ThinApp
ThinApp collides with the Traps injection Running Traps exploit protection and ThinApp mechanism.
in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
Windows Defender
Windows Defender prevents the collection of prevention data from the Traps agent.
© Palo Alto Networks, Inc.
Implications and Required Actions
Running Traps exploit protection and Microsoft EMET in parallel is not supported. All other malware protection functionality—such as local analysis, WildFire analysis, and restriction rules—will continue to work as expected.
All exploit and malware protection capabilities work as expected; however, data about the prevention event is not collected.
Traps 3.4 Release Notes • 11
Known Issues
Traps 3.4 Release Information
Known Issues
The following table describes known issues with Traps 3.4.
Issue ID
Description
CYV‐10101
After Traps quarantines malware, the operating system displays an error indicating that the quarantined file cannot be found. This issue occurs only when the current user does not have administrative rights on the endpoint.
CYV‐10051
When a malicious executable file runs from an ISO file (such as from a CD, DVD, or BD), Traps incorrectly displays a message that indicates the file is in use instead of displaying a message that indicates the ISO file is read‐only and cannot be quarantined.
CYV‐10010
If the Event Viewer service crashes on the endpoint, the Traps reporting of process crash events and subsequent malware protection is disrupted. This is due to a dependency of CyveraService on the Event Viewer service.
Workaround: Restart the CyveraService on the endpoint to resume process crash reporting and malware protection functionality.
This issue is now resolved. See CYV‐10084 in Traps 3.4.1 Addressed Issues. CYV‐9967
After you enter an invalid proxy IP address and then correct the address, the ESM Console requires you to click Save twice before the new settings take effect. If you click Save only once and later return to the page, the ESM Console reverts to the previous saved setting.
Workaround: Click Save twice after saving the valid proxy configuration.
CYV‐9948
On endpoints whose hostnames contain Turkish characters, the Traps agent fails to upload files and logs using BITS.
This issue is now resolved. See CYV‐10076 in Traps 3.4.1 Addressed Issues. CYV‐9930
The DB Configuration Tool does not validate administrative users and, so, it allows you to save a user who is not a local administrator on the ESM Console server.
Workaround: Validate that users are administrators on the ESM Console server before adding them as administrative accounts using the DB Configuration Tool.
CYV‐9894
When malware runs on the endpoint, Traps attempts to quarantine the file regardless of location. If Traps fails to quarantine the second instance of malware that has already been quarantined on the endpoint (such as from a different location), the ESM Console disables the restore option and prevents you from attempting to restore the file to its original location.
CYV‐9858
The ESM Console truncates usernames that contain more than 20 characters. Workaround: Users with usernames that contain more than 20 characters must log in to the ESM Console using only the first 20 characters.
This issue is now resolved. See CYV‐10282 in Traps 3.4.1 Addressed Issues. CYV‐9790
When Service Protection is enabled and an administrator uninstalls Traps on the endpoint, some files remain in the ProgramData\cyvera folder. In some environments, these files are owned by SYSTEM and cannot be removed by the administrative user.
Workaround: Log off and log back in before attempting to delete these files.
12 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4 Release Information
Known Issues Issue ID
Description
CYV‐9762
To create a rule for network folder restriction, the ESM Console requires you to define a network folder whitelist before it permits you to save the rule.
CYV‐9751
In an environment where a secondary ESM Console is installed on an ESM Server, the ESM Server inherits the proxy settings from the secondary console.
CYV‐9723
On Windows XP endpoints, when you click Send Support File from the Traps console, the agent fails to collect logs from the event viewer and instead sends only a partial collection of logs.
CYV‐9705
When you configure rules to use target objects that use the Windows User logon
name in UPN format ([email protected]), the ESM Console omits these objects and displays only SAMAccount names. Workaround: To apply a rule to a target object with a UPN account name, specify the full Active Directory distinguished name.
CYV‐9621
The BitsUpload manager fails to upload malware with a filename that contains the right‐to‐left override (RLO) character.
CYV‐9595
When you install Traps on a terminal server that is accessed by multiple users, user‐specific rules do not work as expected. For example, in some cases, Traps fails to apply user‐specific rules to the effective user. In other cases, Traps applies user‐specific rules to all users on the terminal server.
CYV‐9585
Attempting to restore a file before Traps finishes retrieving relevant memory dumps causes delays in restoring the file to the original location.
CYV‐9538
When you attempt to generate an ESM tech support file in an environment with two ESM Consoles, the ESM Console fails to retrieve the logs from the secondary console and does not display an error indicating the reason for the failure.
CYV‐9468
When you use cytool to stop all runtime services, cytool stops all runtime services except for the Traps Dump Analyzer Service.
Workaround: Use alternate methods, such as the Windows Services Console, to stop the Traps Dump Analyzer Service.
CYV‐9368
Traps fails to enforce local folder restrictions on endpoints that use the Japanese language version.
CYV‐9360
In an ESM deployment with multiple ESM Servers, after removing a server from the domain, the ESM Console does not update the Internal Address and continues to show the in‐domain address.
Workaround: From the ESM Console (Settings > ESM > Multi ESM), manually update the internal address of the ESM Server.
CYV‐9355
Because older versions of Traps did not support a grayware verdict, executable files received a benign verdict and were permitted to run. After upgrading to Traps 3.4, the local cache retains the benign verdict for any grayware that previously ran on the endpoint. As a result, subsequent attempts to run grayware that ran previously are permitted.
CYV‐9350
On some endpoints, the CPU spikes when the Traps console is open.
CYV‐9284
The first time a user opens an executable file that is larger than 50MB (such as an installer), the launch time increases due to the evaluation of trusted signers.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 13
Known Issues
Traps 3.4 Release Information
Issue ID
Description
CYV‐9215
When an exploit event occurs, some EPMs configured in Notification mode can cause Traps to display multiple notification messages about the event.
CYV‐9178
After successfully installing the ESM Server or ESM Console software, the installer inconsistently logs the completion status of the installation.
CYV‐9024
When a UASLR prevention event occurs for a process in a hidden system folder, Traps neglects to provide any notification, collect forensic data, or log the event. When a UASLR prevention event occurs on a process that is not in a protected system folder, notifications, logging, and data collection all work as expected.
CYV‐9015
In an environment with multiple ESM Servers, changing settings in Active Directory can cause inconsistencies in policies between ESM Servers.
CYV‐9007
When you generate an ESM Tech Support file and the ESM Console and the ESM Server are installed on the same device while service protection is enabled, some data cannot be retrieved. This is because service protection blocks access to specific folders.
CYV‐8959
When you change the state of a machine from workstation to virtual desktop infrastructure (VDI), Traps continues to use a license from the workstation license pool instead of obtaining a floating VDI license.
CYV‐8923
If you configure an exploit protection rule that uses the DLL Security EPM, the Flash player crashes on 64‐bit Firefox.
CYV‐8834
When you upgrade .NET Framework in preparation for upgrading Traps and then remove the older .NET Framework version, the Traps upgrade fails.
Workaround: To avoid uninstall and upgrade issues, do not remove the older version of .NET Framework before upgrading to this version of Traps.
CYV‐8732
When you apply an action rule to an organizational unit and specify a group of machines as belonging to the organizational unit, endpoints in that group do not receive the agent rule.
CYV‐5632
When adding a large number of processes as provisional processes, the policy file size increases and causes issues in transferring the policy XML files to the agents. As a result, the security policy can become out‐of‐date and the ESM Console can display the status of the agent running on the endpoint as disconnected.
CYV‐5061
When the Thread Injection malware protection module is enabled, installing Microsoft .NET Framework 4.5.2 raises a thread injection prevention event.
Workaround: To permit the user to install Microsoft .NET Framework 4.5.2, create a Thread Injection rule that whitelists setup.exe injection to svchost.exe. To narrow the scope of the rule, enforce conditions that target only the affected endpoints.
14 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4.1 Addressed Issues
The following table lists the issues that are fixed in the Traps™ 3.4.1 release. For new features introduced in Traps 3.4, as well as known issues and limitations, see Traps 3.4 Release Information.
Issue Identifier
Description
CYV‐10463
Fixed an issue with local analysis that caused high CPU usage on XenDesktop clients.
CYV‐10449
Fixed an issue with Active Directory (AD) queries which resulted in a heavy load on the AD server. With this fix, queries are now optimized to improve performance. CYV‐10388
Fixed an issue with content updates where the ESM Console displayed an invalid link for the Update Site. With this fix, the link is now labeled Support Site and points to the site where the content updates are hosted.
CYV‐10383
Fixed a number of issues with external log forwarding to address format inconsistencies. Also added the IP address of the ESM Server or endpoint to relevant events. CYV‐10328
Fixed an issue where after upgrading the ESM Server, agents running earlier versions of Traps did not receive an updated policy unless you created or edited a user rule after the upgrade. CYV‐10327
Fixed an issue that prevented you from disabling the Traps Dump Analyzer service when service protection was enabled. CYV‐10320
Fixed an issue on Windows 10 endpoints where users experienced issues with Traps injection for several applications including rundll32 and custom applications that utilize cmd.exe. CYV‐10307
Fixed an issue where Traps prematurely reported a local analysis failure before the Traps Local Analysis service was operational. With this fix, Traps now waits until the Traps Local Analysis service is fully operational before reporting any errors.
CYV‐10294
Fixed an issue encountered during the ESM Server and ESM Console installation where the installer omitted SQL Server 2016 as a valid database type. CYV‐10290
Fixed an issue that prevented the Traps Local Analysis service from restarting after a failure to start or a system error occurred. With this fix, the Traps Local Analysis service automatically restarts the service after encountering an error or failing to start. CYV‐10284
Fixed an ESM Server upgrade issue where a duplicate entry in the ProcessHashes table resulted in an upgrade failure when upgrading to version 3.4.0. With this fix, any duplicate entries are removed during the upgrade process thus allowing the upgrade to complete successfully. CYV‐10282
Fixed an issue which caused the ESM Console to truncate usernames that contained more than 20 characters. With this fix, the ESM Console permits usernames that exceed 20 characters. CYV‐10270
Fixed an issue with the quarantine feature where you could not restore executable files on Windows Live File systems that use Universal Disk Format (UDF). With this fix, you can now restore executable files as expected. CYV‐10234
Fixed a compatibility issue with SearchInform, that occurred when Traps and SearchInform were installed in parallel. With this fix, processes no longer produce errors when SearchInform and Traps are installed on the same endpoint. © Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 15
Traps 3.4.1 Addressed Issues
Issue Identifier
Description
CYV‐10224
Fixed an issue that caused the endpoint to become unresponsive when multiple Traps console processes on the agent were executed simultaneously. With this fix, the Traps process notification mechanism was updated to handle additional console processes.
CYV‐10121
Fixed an compatibility issue with Traps and Trend Micro™ Office Scan™ 11.xx where Office Scan collided with the Traps injection mechanism. With this fix, you can now run Traps exploit protection and Office Scan in parallel.
CYV‐10087
Fixed an issue with manually added processes whose names contained extensions other than .exe (for example, process.scr) which caused Traps to write the process name to the registry with a .exe extension (for example, process.scr.exe). With this fix, you can now manually add process names with extensions other than .exe. In addition, the ESM Console now displays a notification when you enter a process name with a non‐exe extension. CYV‐10084
Fixed an issue that caused the CyveraService to halt abruptly after the Windows Event Viewer service restarted. With this fix, the dependency of the CyveraService on the Event Viewer service was removed. CYV‐10076
Fixed an issue on endpoints whose hostnames contain Turkish characters, where the Traps agent failed to upload files and logs using BITS. With this fix, the Traps agent uploads files and logs from endpoints whose hostnames contain Turkish characters as expected. CYV‐9883
Fixed an issue with one‐time action rules to Erase memory dumps where Traps deleted the .dmp files but ignored .dmp.report files. With this fix, the agent also deletes the .dmp.report files when it receives the action rule to delete the parent memory dump. CYV‐9840
Fixed an issue where the ESM Console did not display deleted endpoints in Agent > Health when you applied the Historic filter. CYV‐9839
Fixed an issue where stopping and starting the Traps service during the execution of a one‐time action rule configured to retrieve logs and data from the endpoint fails to resume after the restart. With this fix, any in‐progress BITS jobs resume after the Traps service restarts. CYV‐9561
Fixed an issue that delayed the calculation of hashes (up to 8 seconds for executable files of size 50MB) which was caused by network slowness. With this fix, Traps uses a new algorithm to calculate the hash. The new algorithm reduces the time to calculate the hash thus improving the user experience. CYV‐8696
Fixed an upgrade issue with the ESM Server caused by an invalid connection to the database during the database migration step. With this fix, the installer now provides additional validation during the upgrade and provides more detailed logs to aid in troubleshooting. CYV‐8182
Fixed an ESM Server and ESM Console installation issue with the database configuration to clarify the account name required for authentication with the database. With this fix, the account field now specifies the Domain\user is required for Windows Authentication. CYV‐7418
Fixed an issue that permitted Traps to submit files which exceeded the configured maximum file size for WildFire analysis. With this fix, Traps now adheres to the maximum file size and the Hash Control page displays the Upload Status as Upload limit exceeded when the file size exceeds the configured maximum. 16 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Traps 3.4.0 Addressed Issues
The following table lists the issues that are fixed in the Traps™ 3.4 release. For new features introduced in Traps 3.4, as well as known issues and limitations, see Traps 3.4 Release Information. Issue Identifier
Description
CYV‐2332
Fixed an issue where Java registry and Java file system restriction rules failed to block Java processes and applets from accessing the matching registry or file system path.
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 17
Traps 3.4.0 Addressed Issues
18 • Traps 3.4 Release Notes
© Palo Alto Networks, Inc.
Getting Help
The following topics provide information on where to find out more about our products and how to request support:

Related Documentation

Requesting Support
Related Documentation
Refer to the following 3.4 documentation on the Technical Documentation portal or search the documentation for more information on our products. For information on the additional capabilities and for instructions on configuring Traps features, refer to the Traps Administrator’s Guide, Version 3.4.
Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
To provide feedback on the documentation, please write to us at: [email protected].
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact‐support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Revision Date: October 20, 2016
© Palo Alto Networks, Inc.
Traps 3.4 Release Notes • 19