05-18-2018 03:58 PM
Background: This is a new deployment scenario in a small/medium-sized enterprise, about 5K hosts and 3K users. LOTS of different, old/new applications and OS's. Config mgmt is non-existant - it's the wild west. Oh, and we have a development group, so there's some custom apps out there as well as new renditions popping up every so often.
I'm *very* new to Traps and have been tasked to "make it work". So far, I've got my ESM server and console up and Traps agents deployed to about 25 endpoints for testing, running with out-of-the-box default policies. Things are going swimmingly from what I see - essentially no false positives. I'm inclined to push this thing out to the whole org immediately.
Unfortunately, my boss is less confident and is nervous about ticking off the end users and having a riot on our hands. He's concerned that Traps will have a ton of false positives as we deploy it out to the end users and has directed me to put all policies in "notification mode" only. The plan is to deploy department by department (OU by OU), so the idea is to have one set of policies for enforcement, and a duplicate set of policies set to notify only. As we deploy and "soak" an OU, it will be in notify only mode. After a few weeks, we want to move it to enforcement. Once all OUs are moved into enforcement, we will delete the notify only policies.
While I see the logic in that cautious approach, I don't see an easy way to do it within ESM. It seems like we would have to somehow duplicate the default policies and go through hundreds of these policies, line by line and change the activation. I see days to weeks worth of work just setting that up. There's got to be an easier way. OR I need someone to tell me "There's not really any way to do that so change your strategy".
Any help or advice?
05-21-2018 04:30 PM
I got a bunch of errors. Any ideas on what's causing this?
A few notes up front:
1. I confirmed Traps runtime services were completely stopped.
2. I confirmed that the sigcheck .csv file had coherent data
3. I am running with god mode permissions (domain admin)
4. I do not have Windows Firewall running
5. I am running the VDI tool from the machine that I ran the sigcheck against (my own workstation)
6. I have run VDI with both SSL binding on and off (we're using SSL for connections to the ESM)
7. I have run VDI with the uninstall password and without.
8. We are using default port 2125.
9. I've made no changes to hash bulk size, tool timeout, or wildfire verdicts check interval
10. I've run VDI both with "Wait for WildFire Verdicts" set to false and true; same with Write malware to cach.
11. I've made no changes to "Write grayware to cache" (stayed at "True")
Have you come across those errors?
05-21-2018 04:35 PM
Definitely don't need Domain Admins. At most local administrator on the endpoint but lets move on 🙂
Firstly can you confirm you are running TrapsVdiTool using "Run as administrator"?
05-21-2018 04:40 PM
Yeah... back to that whole "I'm an idiot" thing... I think I need to turn in my IT nerd creds or something.
That was the problem. I owe you a beer.
05-21-2018 04:44 PM
LOL - I'm just glad it was something simple. Always good to have a second set of eyes peer review something that might have been missed 🙂
Hold that beer... I'll take a virtual lemonade instead 😉
Have a great day!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!