traps 285traps34_

1、TrapsNew FeaturesGuideVersion 3.4Contact InformationCorporate Headquarters:Palo Alto Networks4401 Great America Parkway Santa Clara, CA 95054/company/contactusAbout thisGuideThis guide describes the new features delivered as part of the Palo Alto Networks Traps 3.4 solution,

2、which comprises the Endpoint Security Manager (ESM), a database, the ESM Server, and the Traps agent prevention software. For information on the additional capabilities and for instructions on configuring the features, refer to /documentation. For access to the knowled

3、ge base, discussion forums, and videos, refer to . For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to /support/tabs/overview.html. For the most current Trap

4、s 3.4 release notes, see /documentation/34/endpoint/endpointreleasenotes.html.To provide feedback on the documentation, please write to us at: .Palo Alto Networks, I 2016 Palo Alto Networks, Inc. Palo Alto Net

5、works is a registered trademark of Palo Alto Networks. A list of our trademarks can be foundat /company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.Revision Date: August 20, 20162 Traps 3.4 New Features Guide Palo A

6、lto Networks, Inc.Table of ContentsUpgrade/Downgrade Considerations5Upgrade/Downgrade Considerations6Upgrade to Traps 3.47Malware Protection Features11Local Analysis of Unknown Executable Files12Trusted Signers13Evaluation of Trusted Signers13Review PostDetection Events for Malware Signed by a Trust

7、ed Signer14Malware Remediation15Enable Traps to Quarantine Files15Manage Quarantined Files16Grayware Verdict Support19Management Features21Content Updates22ESM Tech Support File25Proxy Communication Support27 Palo Alto Networks, Inc.Traps 3.4 New FeaturesGuide 3Table of Contents4 Traps 3.4 New Featu

8、res Guide Palo Alto Networks, Inc.Upgrade/DowngradeConsiderationspUpgrade/Downgrade ConsiderationspUpgrade to Traps 3.4 Palo Alto Networks, Inc.Traps 3.4 New FeaturesGuide 5Upgrade/Downgrade ConsiderationsUpgrade/Downgrade ConsiderationsUpgrade/Downgrade ConsiderationsThe following table lists the n

9、ew features that have upgrade or downgrade impact. Before you upgrade ESM components to or downgrade from release 3.4, make sure you understand the changes that will occur in the configuration.6 Traps 3.4 New Features Guide Palo Alto Networks, Inc.FeatureUpgrade ConsiderationsDowngrade Consideration

10、sEPM RefinementIn this release, some exploit protection modules (EPMs) and EPM settings have been removed from the default security policy. If you upgrade to release 3.4: Rules that use only the deprecated module are removed. Deprecated settings are removed. Modules are removed from rules that conta

11、in multiple modules. Security events related to deprecated modules are removed. If youd like to retain these events, we recommend that you export them before you upgrade to release 3.4.Although settings and modules are removed, the rule descriptions are not modified and can still reference modules o

12、r settings that are no longer reflected in the rule configuration.Rules for EPMs that were removed in release3.4 are added back in to the configuration and disabled.Provisional ProcessesIn this release, rules do not apply specifically to provisional processes in the default policy. If you did not de

13、fine any rules specifically for provisional processes before you upgrade the ESM to version 3.4 or install content update version 3 or later, provisional processes receive rules that are defined for all protected processes.N/AUpgrade/Downgrade ConsiderationsUpgrade to Traps 3.4Upgrade to Traps 3.4Th

14、e Traps 3.4 release comprises the Endpoint Security Manager (ESM) Server, the ESM Console, and the Traps agent. Use the following workflow to upgrade the Traps components: Palo Alto Networks, Inc.Traps 3.4 New FeaturesGuide 7Upgrade to Traps 3.4Step 1Plan for the upgrade. Prioritize the downtime for

15、 each ESM Server according to your environment and the requirements of the agents connected to the ESM Server. Identify the ESM Servers that serve the highest number of agents and plan to stop services on those ESM Servers last and upgrade them first. Ensure that you have the credentials for the use

16、r who connects to the database before you begin the upgrade.Hint: Windows authentication uses a domain account and SQL authentication uses a local SQL account on the database server. Review the Prerequisites for Traps components and adjust your configuration to meet those prerequisites as needed.Ste

17、p 2Disable service protection on all serverside agents installed on ESM Servers and ESM Consoles.1. From the ESM Console, select Settings Agent Settingsand then Add a Service Protection.2. Disable service protection.3. On the Objects tab, specify the servers to which the rule should apply.4. Apply t

18、he rule.5. Verify that each Traps agent received the new rule (on the Traps console, select Policy). If needed, Check-in now to force Traps to request the latest security policy from the ESM Server.Step 3Stop services before upgrading the ESM Server software.The database can connect to only ESM comp

19、onents that are running the same release. To avoid conflicts during the upgrade process, ensure that services remain disabled until after you successfully upgrade all ESM components.If you use a thirdparty watchdog to monitor services, you may need to perform additional steps to ensure that the watc

20、hdog software does not attempt to restart the services.From the Services manager, Stop the Endpoint Security Managerservice on all ESM Servers.Upgrade to Traps 3.4Upgrade/Downgrade Considerations8 Traps 3.4 New Features Guide Palo Alto Networks, Inc.Upgrade to Traps 3.4 (Continued)Step 4 (Multiple E

21、SM Server deployments only) Stop services before upgrading the ESM Console software.This step is not required for standalone deployments with only a single ESM Server and an ESM Console.Stop IIS services on the server on which the ESM Console is installed:Dedicated ServerIf the ESM Console is the on

22、ly web application running on the ESM Console server, stop the World Wide Web Publishing Service.Alternatively, you can stop the service from a command prompt by issuing the IISreset /stop command.Shared ServerIf you run additional web applications on your ESM Console server (not recommended), stop

23、the ESM Application Pool service (ESMAppPool) in the Internet Information Services (IIS) Manager to avoid affecting other applications.To stop the application pool:1. Open the IIS Manager.2. Expand the server and select Application Pools.3. Rightclick ESMAppPool and Stop the service.Step 5Back up yo

24、ur database.To preserve all data in case the installation is unsuccessful, first ensure that services are down on relevant ESM components and then back up your database.Step 6Upgrade the ESM Server.In a deployment with multiple ESM Servers, choose one ESM Server on which to test the upgrade. Resolve

25、 any issues encountered during the upgrade before proceeding to upgrade the ESM Console and any additional ESM Servers.During the upgrade of the ESM Server, the installer updates the database according to the requirements of the database version. If there is no change between the database versions,

26、the installer does not make any changes to the database.1. Launch the ESM Core installer file and click Next to begin the installation.To troubleshoot installation issues, use Msiexec to logverbose output to a file.2. Enter the username and password used to connect to the database and then Verify th

27、e connection: Windows authentication, format: domainusername SQL authentication format: sqlservernameusername3. If the installer successfully verifies the database connection, click OK.4. ClickInstall.5. Click Finish.Upgrade/Downgrade ConsiderationsUpgrade to Traps 3.4 Palo Alto Networks, Inc.Traps

28、3.4 New FeaturesGuide 9Upgrade to Traps 3.4 (Continued)Step 7Upgrade the ESM Console.1. Launch the ESM Console installer file and click Next to begin the installationTo troubleshoot installation issues, use Msiexec to log verbose output to a file.2. Enter the username and password to connect to the

29、database and then Verify theconnection. Windows authentication format: domainusername SQL authentication format: sqlservernameusername3. If the installer successfully verifies the database connection, Click OK.4. ClickInstall.5. Click Finish.6. Restart the IIS Admin Service on the server on which th

30、e ESM Console is installed.7. Verify that you can log in to the ESM Console.Step 8Upgrade additional ESM Servers.For each additional ESM Server, verify the services are disabled (see Step 3) and then repeat Step 6 to upgrade the ESM Server software.Step 9Import the latest content update to take adva

31、ntage of the latest recommended default policy.See Content Updates.Step 10 Upgrade the Traps agents.1. Select Settings Agent Actions and Add and agent.2. Select Agent Installation.3. Select Upgrade frompath.4. Enter the Uninstall Password, Browse to the installation file, and then Upload.5. Apply th

32、e rule.Upgrade to Traps 3.4Upgrade/Downgrade Considerations10 Traps 3.4 New Features Guide Palo Alto Networks, Inc.Malware Protection FeaturespLocal Analysis of Unknown Executable FilespTrusted SignerspMalware RemediationpGrayware Verdict Support Palo Alto Networks, Inc.Traps 3.4 New Features Guide

33、11Local Analysis of Unknown Executable FilesMalware Protection FeaturesLocal Analysis of Unknown Executable FilesTraps now uses local analysis to examine hundreds of characteristics associated with an unknown executable file to determine if it is likely to be malware. Local analysis uses a statistic

34、al model that was developed using machine learning on WildFire threat intelligence. With this feature, Traps uses thestatistical model to analyze and assign a local verdict to any unknown executable file. Traps then use the local verdict while the endpoint is offline or the ESM Server is unreachable

35、.After Traps receives an official WildFire verdict or updated hash control policy for a (previously unknown) executable file, Traps updates the verdict in its local cache. The next time a user opens the executable file, Traps identifies it as a known executable file and blocks or allows the file acc

36、ording to the verdict Traps received from the ESM Server. For more information about the evaluation process, see The following figure displays the order of the evaluation process for local hash verdicts.Figure: Evaluation of Local Hash Verdicts.With Traps 3.4, local analysis is enabled by default wi

37、th the configuration of the WildFire rule. Because local analysis always returns a verdict for an unknown executable file, enabling the option to Block unknown files only applies to agents for which local analysis is not enabled or for agents running versions earlier than Traps3.4. To change the def

38、ault settings, you can clone the default WildFire rule and disable Local Analysis (not recommended). For more information, see Configure a WildFire Rule.12 Traps 3.4 New Features Guide Palo Alto Networks, Inc.Malware Protection FeaturesTrusted SignersTrusted SignersTo ensure Traps never blocks legit

39、imate files from executing on an endpoint, Traps now evaluates whether executable files are signed by a trusted signer. The evaluation of trusted signers is automatically included in Traps 3.4 and requires no additional configuration. The Endpoint Security Manager provides the list of trusted signer

40、s with the default security policy and transparently distributes the list to agents that are running Traps 3.4. On a regular basis, Palo Alto Networks reviews the list of trusted signers and delivers the updates in Content Updates.pEvaluation of Trusted SignerspReview PostDetection Events for Malwar

41、e Signed by a Trusted SignerEvaluation of Trusted SignersIf a hash control policy is not configured for an executable file, Traps next employs the WildFire module to identify the verdict. The WildFire module uses a multistep approach to evaluate the verdict.The first step in this approach is to dete

42、rmine whether the file is signed by a trusted signer. Previously, this module considered only the official WildFire verdict. As a result, Traps had to wait to learn the nature of the executable file and, depending on your configuration, block all unknown executables in the meantime.The following fig

43、ure displays the order of the evaluation process for local hash verdicts.Figure: Evaluation of Local Hash VerdictsWhen an executable file launches on the endpoint, Traps first evaluates whether a hash control policy exists for the executable file. If so, the existing hash control policy for that exe

44、cutable file takes precedence over all other verdict evaluation and analysis. However, if there is no hash control policy for that executable file, then the Traps WildFire module next evaluate whether the file is signed by a trusted signer. The file is signed by a trusted signerThe file is considere

45、d benign and is locally exempt from additional WildFire verification and local analysis. As long as execution restrictions and malware protection rules do not apply to the executable file, Traps allows it to execute. If Traps blocks a file that is signed by a trusted signer (for example, if the file

46、 was signed by a trusted signer but violated a restriction rule), the ESM Console displays the signer information in the new Source Signers field in the security event details. The file is not signed by a trusted signerTraps evaluates the official WildFire verdict. If WildFire has not analyzed the e

47、xecutable file or Traps has not yet received the verdict for the executable file, Traps uses Local Analysis of Unknown Executable Files to determine a local verdict. Palo Alto Networks, Inc.Traps 3.4 New Features Guide 13Trusted SignersMalware Protection FeaturesIf the executable file is unknown and

48、 your WildFire policy enables Traps to submit unknown executable files, Traps also submits the file to the ESM Server for analysis by WildFire.Review PostDetection Events for Malware Signed by a Trusted SignerBecause WildFire and Traps share the same list of trusted signers, executable files that ar

49、e signed by a trusted signer are exempt from WildFire verdict evaluation. As a result, Traps considers these files to be benign (regardless of the official WildFire verdict). In extremely rare scenarios, WildFire can issue a malware verdict for a file that is signed by a trusted signer. If this occu

50、rs and you want Traps to block the executable file, you must take additional action to configure a hash control policy. The hash control policy takes precedence over all other verdict evaluationincluding evaluation of trusted signersand enables Traps to block the executable file.The ESM Console cate

51、gorizes events where malware previously executed on an endpoint as postdetection events. You can review all postdetection events on the Malware Post Detected page. In the postdetection event of a signerverdict mismatch, review the details about the security event and optionally configure a hash cont

52、rol policy for the executable file. The ESM Server distributes the hash control policy during the next communication with the agent and enables Traps to block any future attempts to launch that executable file.Step 1From the ESM Console, select Security Events Post Detections Malware Post Detected a

53、nd locate the event.Step 2Select the row to view additional details about the event.Step 3Review the WildFire Report for the executable file or utilize any additional threat intelligence resourcessuch as AutoFocusto determine the nature of the executable file.Step 4If you believe the file is malicio

54、us:1. Click Hash Control.2. In the expanded view of the hash record, select Treat as Malware.The new hash control policy takes precedence over the trusted signer evaluation.Step 5If the executable file is malware, select Agent List to review previous executions on endpoints and take additional actio

55、n to remediate the executable file on the endpoint.14 Traps 3.4 New Features Guide Palo Alto Networks, Inc.Review PostDetection EventsMalware Protection FeaturesMalware RemediationMalware RemediationTraps can now quarantine malicious executable files on the endpoint. To evaluate whether an executabl

56、e file is considered malicious, Traps uses information from the following sources: WildFire threat intelligence Local analysis Hash control policy (overrides set by the administrator)When any of theses sources indicate that a file is malicious, Traps notifies the user about the quarantined file (if

57、user alerts are configured), and moves the file from the local folder or removable harddrive to a local quarantine folder.With this feature, you can also restore a quarantined file to its original location.pEnable Traps to QuarantineFilespManage Quarantined FilesEnable Traps to Quarantine FilesThis feature is disabled by default. To enable Traps to quarantine malware, use the following process.Step 1Create or edit a WildFire rule.Step 2(New) In the rule configuration, select Quarantine Files to enable Traps to block and