https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30930#M22640 <HTML><HEAD></HEAD><BODY><P>Hello Emma,</P><P></P><P>It depends on the policy pushed to the client machine whether word process is protected or not.</P><P>If it is then yes, Traps will detect the exploit and won't display the file.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Fri, 06 Mar 2015 15:36:43 GMT hyadavalli 2015-03-06T15:36:43Z https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30929#M22639 <HTML><HEAD></HEAD><BODY><P>A customer is seeing infected word files with macro in their network. The firewall is not able to block this file because the macro keeps changing file hash, even with WildFire enabled.</P><P>Would Traps be able to detect and kill this file on the host without requiring any manual remediation?</P></BODY></HTML> Fri, 06 Mar 2015 01:45:50 GMT https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30929#M22639 Retired Member 2015-03-06T01:45:50Z https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30930#M22640 <HTML><HEAD></HEAD><BODY><P>Hello Emma,</P><P></P><P>It depends on the policy pushed to the client machine whether word process is protected or not.</P><P>If it is then yes, Traps will detect the exploit and won't display the file.</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Fri, 06 Mar 2015 15:36:43 GMT https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30930#M22640 hyadavalli 2015-03-06T15:36:43Z https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30931#M22641 <HTML><HEAD></HEAD><BODY><P>Note that TRAPS works in a completely different way than current AV products.&nbsp; AV using signatures that are evaded by the technique you note.&nbsp; TRAPS watches the actual behavior against exploit behavior and stops the action or logs the activity.</P><P></P><P><A href="https://www.paloaltonetworks.com/documentation/31/endpoint/endpoint-admin-guide/advanced-endpoint-protection-overview/advanced-endpoint-protection-overview.html#38578" title="https://www.paloaltonetworks.com/documentation/31/endpoint/endpoint-admin-guide/advanced-endpoint-protection-overview/advanced-endpoint-protection-overview.html#38578">Advanced Endpoint Protection Overview</A></P></BODY></HTML> Sat, 07 Mar 2015 12:52:49 GMT https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30931#M22641 pulukas 2015-03-07T12:52:49Z https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30932#M22642 <HTML><HEAD></HEAD><BODY><P>As already said, if the macro is malicious (exploit vulnerabilty on the endpoint) then most probably Traps will stop it from happening. I made a short video to demo Traps preventing an endpoint from being exploited by a vuln. in Adobe Flash just to give an idea.</P><P></P><P><A href="https://www.youtube.com/watch?v=uD12Bh9RuwU" title="https://www.youtube.com/watch?v=uD12Bh9RuwU">Traps - Advanced Endpoint Protection by Palo Alto Networks - YouTube</A></P><P></P><P>One of the key advantages of Traps is that it does not require any remediation after prevention, although the malicious files should get deleted/quarantined on the endpoint once a legacy AV solution has a signature....</P></BODY></HTML> Tue, 10 Mar 2015 14:37:51 GMT https://live.paloaltonetworks.com/t5/general-topics/would-traps-be-able-to-detect-and-kill-this-file-on-the-host/m-p/30932#M22642 gafrol 2015-03-10T14:37:51Z