Introducing the New Traps v4.0: Advancing Endpoint Security – Again!

May 02, 2017
6 minutes
... views

Today, we’re pleased to announce the release of Traps advanced endpoint protection version 4.0. With this release, Traps expands its multi-method prevention capabilities to secure macOS endpoints and Android devices as well as to cover several additional attack techniques.

In this post, I’ll go over some of the enhancements we’ve made to Traps and discuss how they help you to secure your endpoints against cyberattacks. For a deeper dive, I encourage you to download our Traps Technology Overview white paper or join us for a webinar to see how Traps protects your organization against the imminent shifts in endpoint attacks.

Expanded Multi-Method Approach to Prevention

Traps replaces traditional antivirus and secures endpoints with a multi-method approach to prevention. Using a unique combination of highly effective malware and exploit prevention methods, Traps blocks both known and unknown threats – before they can compromise a system.

“Signature-based endpoint security simply cannot provide effective protection against the new wave of cyberattacks targeting endpoints. Given the acute problem presented by the “Patient Zero Effect,” new approaches are a must. Built from the ground up to address modern endpoint security needs, Palo Alto Networks Traps provides modern endpoint protection that can be implemented as either an independent, standalone solution or as a part of an integrated security ecosystem with the accompanying integration synergies that their Next-Generation Security Platform can provide. Palo Alto Networks Traps commands consideration for organizations seeking modern endpoint threat prevention capabilities."
- Frank Dickson, Research Director, Worldwide Security Products, IDC

Traps v4.0 includes several expanded capabilities and enhancements, which follow.

True Prevention for Mac

Traps secures macOS systems and replaces legacy AV with a multi-method approach to prevention. Traps blocks both malware and exploits, known or unknown, before they can compromise Apple Mac endpoints.

This is in contrast to existing signature-based AV and security solutions for macOS that claim to be “next-gen” but can’t (and don’t) prevent cyber breaches by blocking both malware and exploits, leaving the endpoint exposed to attacks.

Office Macro Protection

Traps blocks known and unknown malicious macros that are embedded in Word and Excel files, before the files are allowed to open. This prevents ransomware and other advanced threats that rely on macro-based attacks to bypass existing endpoint protections.

  • Traps uses our WildFire threat intelligence to instantly identify an Office file (with a malicious macro) that has been seen before by any of our 15,500 WildFire customers, our threat intelligence technology partners, or our own threat researchers in Unit 42.
  • If an Office file with a macro that is unknown to WildFire, Traps uses local analysis (via machine learning) to immediately determine whether the macro is malicious. We have used the threat intelligence available through WildFire to train a machine learning model to autonomously recognize malicious macros – especially unknown variants – with unmatched effectiveness and accuracy.
  • In addition to using local analysis to render a verdict for an Office file that contains an unknown macro, Traps can submit the file to WildFire for complete inspection and analysis. WildFire goes beyond legacy approaches used to detect unknown threats, bringing together the benefits of four independent techniques for high-fidelity and evasion-resistant discovery, including dynamic analysis, static analysis, machine learning and bare-metal analysis.

Enhanced Child Process Protection

Traps delivers fine-grained control over the launching of legitimate applications, such as script engines and command shells, that can be used for malicious activities. This prevents advanced threats and ransomware from launching evasive attacks that are not detected by existing endpoint security solutions.

For example, Traps can prevent Internet Explorer from launching a specific script interpretation engine as a child process – a common technique used by ransomware. For any given process, Traps enables customers to either block all child processes except those that are whitelisted or allow all child processes except those that are blacklisted.

Exploit Kit Fingerprinting Protection

Exploit kits typically profile a user’s system to identify potential vulnerabilities and deliver the optimum attack that can predictably compromise a system or increase the success rate of the attack. This technique is commonly referred to as “fingerprinting” a system. Traps prevents attackers from identifying and targeting vulnerable endpoints by blocking the fingerprinting attempts used by exploit kits. This, in effect, prevents an attack even before it begins.

Kernel Privilege Escalation Protection

Kernel exploits are some of the most advanced attacks. Often emanating from nation-state attackers and advanced persistent threats (APTs), kernel exploits target vulnerabilities in the operating system itself. A common kernel exploitation approach is to create a malicious process that leverages a kernel exploit to "steal" the credentials (“token”) of a privileged process, allowing the malicious process to run with system-level permissions. Traps identifies and blocks this technique.

Single-Pane-of-Glass Visibility Into Security Events

Traps 4.0 can share its logs and security events with Panorama, our network security management product. This integration enables security operations teams to analyze and correlate threat patterns using both network and Traps security events, which, in turn, delivers a unified picture of security events across the entire environment.

In conjunction with automated policies, the integration of Traps with Panorama enables our customers to eliminate attack surfaces across their entire environment, from endpoints to firewalls to cloud and SaaS applications.

Traps Protection for Android Devices (Beta)

Traps for Android is now available through a community access beta program that extends the multi-method protection of Traps to users of Android devices.

On an Android device, Traps instantly identifies known malware by checking the hash of every application with WildFire. Using local analysis, Traps instantly determines if an unknown application is malware, in addition to submitting that application to WildFire for full inspection and analysis. WildFire, in turn, analyzes the unknown application using a multi-technique approach and renders a verdict.

Traps also identifies unknown, but benign, applications through its Trusted Publisher Identification method. Traps notifies users about the verdict associated with each application and enables them to terminate, uninstall or continue to run each application.

For more on Traps for Android, and to participate in the community access beta program, please contact your Palo Alto Networks sales team.


To learn more about Traps v4.0 and its expanded capabilities:

Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.