News & Events

Six new features in Palo Alto Networks Traps 4.1

  • 25 September, 2017

Industry News, News, Palo Alto Networks, Security

Palo Alto Networks recently released the 4.1 update to their well regarded EndPoint Security Solution, Traps, last week.

Following relatively quickly on from the major 4.0 update, 4.1 has all the usual bugfixes and minor tweaks that you’d come to expect.

There are also a handful of more notable additions which we’re going to briefly go through in this article.

DLL File Protection

Palo Alto Networks’ Traps now extends its malware protection capabilities to prevent DLL-loading processes from loading malicious DLL files on your endpoints.

Like the existing WildFire modules which protect the endpoint from running malicious executable files and macros, the new DLL files examination module enables Traps to leverage both local analysis and WildFire threat intelligence to analyse and identify the nature of a DLL. When a DLL is unknown to WildFire, the Endpoint Security Manager can also submit the file to WildFire for in-depth inspection and analysis.

(Windows only)

Anti Ransomware Protection

In addition to analysing ransomware behaviour before execution, Palo Alto Networks Traps can now prevent encryption-based ransomware attacks on your endpoints by analysing ransomware’s run-time encryption activity.

With a ransomware attack, the attacker typically encrypts important data and holds it hostage until the user pays a ransom to unlock the data. The new Anti-Ransomware malware protection module (MPM) is designed to detect the initial encryption activity and prevent the ransomware from encrypting any additional files. To allow legitimate processes—such as disk encryption products—to encrypt files, you can disable the module on a per-process basis.

(Windows only)

Child Process Protection Enhancement

Traps can now evaluate the command line execution of a process as criteria for blocking or allowing a process to run from a protected parent process.

This enables Palo Alto Networks to fine-tune the module settings and sharpen the accuracy when preventing malicious child processes from running on your endpoints.

For example, instead of configuring a default rule to always block Powershell when launched by Microsoft Word, Palo Alto Networks can now include match criteria in the default rule settings to block Powershell only when the process attempts to run a script from a specific path.

(Windows only)

Kernal APC Protection

The new Kernel APC Protection module prevents attacks which leverage the kernel to load and run malicious shell code. With this technique, the attacker changes the execution order of a legitimate procedure by redirecting an asynchronous procedure call (APC) to execute shell code the attacker loaded in memory. When a procedure attempts to access shell code in an unmapped memory location, Traps blocks access to the shell code without harming or blocking the legitimate process. By default, the Kernel APC Protection module protects the Local Security Authority Subsystem Service (lsass.exe).

(Windows only)

Automated Content Updates

The Endpoint Security Manager (ESM) can now automatically obtain and distribute the latest content updates to your Traps agents. This reduces the manual effort required to identify when new content updates are available and ensures your Traps infrastructure stays up-to-date with the latest default security policy published by Palo Alto Networks.

For increased flexibility you can choose to allow the ESM to check for content updates daily and display when a new one is available or you can allow the ESM to install the content update automatically.

Local Analysis Support on Mac Endpoints

Traps now extends the local analysis capability to Mac Endpoints.

Local analysis enables Traps to compare unknown files against known malware and classify files which hold similar characteristics as malware on the endpoint.

With this feature, Traps quickly analyses unknown files on Mac endpoints and assigns a local verdict (malicious or benign) when the endpoint is offline or waiting for an official verdict from WildFire. Traps continues to use the local verdict until the agent receives an updated verdict from the ESM Server.

We think you’ll agree that there are some great additions in that list, particularly the DLL and Ransomware Protection aspects. It’s also nice to see local analysis making an appearance on the Mac platform.

In the near future we’re also looking forward to the Android edition of Traps which we hope will be showing up before the end of the year.

Get in touch with us

For more information, advice & live demonstrations