The following table describes features released in Traps™ 4.1.2.
Enhanced Trusted Signer Evaluation
Trusted signer evaluation is now enhanced to allow Traps to take advantage of changes in trusted signer status more quickly. To do this, Traps now distinguishes highly trusted signers (currently just Microsoft) from other known signers and applies the following evaluation criteria based on the new classification: Files signed by highly trusted signers are permitted to run regardless of the WildFire® verdict. Files signed by known (but not highly trusted) signers now require WildFire evaluation of the file before Traps permits the file to run. This prevents Traps from allowing a file to run when its signature is revoked and the WildFire verdict is malware.
Windows 10 Fall Creators Support
You can now install Traps 4.1.2 on Windows 10 Fall Creators Update 1709.
AppVolumes 2.12 Support
You can now install Traps 4.1.2 on AppVolumes 2.12.
Features Introduced in Traps 4.1.1
The following table describes features released in Traps 4.1.1.
MacOS 10.13 Support
You can now install Traps 4.1.1 and later releases on Mac endpoints running macOS 10.13.
DLL File Protection Enhancement
) For ease of configuration, the DLL Files module
now supports two different rule types: one for general rule settings, and another for process-specific settings. The new rule types enable you to configure global settings which apply to all DLL files and protected DLL-loading processes separately from settings which apply only to specific processes.
Features Introduced in Traps 4.1.0
The following table describes features released in Traps 4.1.0.
) In addition to analyzing ransomware behavior before execution, Traps can now prevent encryption-based ransomware attacks on your endpoints by analyzing ransomware’s run-time encryption activity. With a ransomware attack, the attacker typically encrypts important data and holds it hostage until the user pays a ransom to unlock the data. The new Anti-Ransomware malware protection module
(MPM) is designed to detect the initial encryption activity and prevent the ransomware from encrypting any additional files. To allow legitimate processes—such as disk encryption products—to encrypt files, you can disable the module on a per-process basis.
DLL File Protection
) Traps now extends its malware protection capabilities to prevent DLL-loading processes from loading malicious DLL files on your endpoints. Like the existing WildFire modules which protect the endpoint from running malicious executable files and macros, the new DLL files examination module
enables Traps to leverage both local analysis and WildFire threat intelligence to analyze and identify the nature of a DLL. When a DLL is unknown to WildFire, the Endpoint Security Manager can also submit the file to WildFire for in-depth inspection and analysis.
Local Analysis Support on Mac Endpoints
Traps now extends the local analysis capability
to Mac endpoints. Local analysis enables Traps to compare unknown files against known malware and classify files which hold similar characteristics as malware on the endpoint. With this feature, Traps quickly analyzes unknown files on Mac endpoints and assigns a local verdict (malicious or benign) when the endpoint is offline or waiting for an official verdict from WildFire. Traps continues to use the local verdict until the agent receives an updated verdict from the ESM Server.
Child Process Protection Enhancement
) Traps can now evaluate the command line execution of a process as criteria for blocking or allowing a process to run from a protected parent process. This enables Palo Alto Networks to fine-tune the child process protection module
settings and sharpen the accuracy when preventing malicious child processes from running on your endpoints. For example, instead of configuring a default rule to always block Powershell when launched by Microsoft Word, Palo Alto Networks can now include match criteria in the default rule settings to block Powershell only when the process attempts to run a script from a specific path.
Kernel APC Protection
) The new Kernel APC Protection module
prevents attacks which leverage the kernel to load and run malicious shellcode. With this technique, the attacker changes the execution order of a legitimate procedure by redirecting an asynchronous procedure call (APC) to execute shellcode the attacker loaded in memory. When a procedure attempts to access shellcode in an unmapped memory location, Traps blocks access to the shellcode without harming or blocking the legitimate process. By default, the Kernel APC Protection module protects the Local Security Authority Subsystem Service (lsass.exe).
Automated Content Updates
The Endpoint Security Manager (ESM) can now automatically obtain and distribute the latest content updates to your Traps agents. This reduces the manual effort required to identify when new content updates are available and ensures your Traps infrastructure stays up-to-date with the latest default security policy published by Palo Alto Networks. For increased flexibility you can choose to allow the ESM to check for content updates daily and display when a new one is available or you can allow the ESM to install the content update automatically.
Anti-Ransomware Protection Traps now extends its malware protection capabilities to protect against encryption-based activity associated with ransomware with the new Anti-Ransomware Protection module. The new ...
Configure Anti-Ransomware Protection The Anti-Ransomware Protection MPM provides additional protection against ransomware. The module targets encryption-based activity associated with ransomware with the ability to analyze ...