Would Traps be able to detect and kill this file on the host without requiring any manual remediation?

Reply
Highlighted
L4 Transporter

Would Traps be able to detect and kill this file on the host without requiring any manual remediation?

A customer is seeing infected word files with macro in their network. The firewall is not able to block this file because the macro keeps changing file hash, even with WildFire enabled.

Would Traps be able to detect and kill this file on the host without requiring any manual remediation?

Highlighted
L5 Sessionator

Re: Would Traps be able to detect and kill this file on the host without requiring any manual remediation?

Hello Emma,

It depends on the policy pushed to the client machine whether word process is protected or not.

If it is then yes, Traps will detect the exploit and won't display the file.

Regards,

Hari Yadavalli

Highlighted
L7 Applicator

Re: Would Traps be able to detect and kill this file on the host without requiring any manual remediation?

Note that TRAPS works in a completely different way than current AV products.  AV using signatures that are evaded by the technique you note.  TRAPS watches the actual behavior against exploit behavior and stops the action or logs the activity.

Advanced Endpoint Protection Overview

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

Re: Would Traps be able to detect and kill this file on the host without requiring any manual remediation?

As already said, if the macro is malicious (exploit vulnerabilty on the endpoint) then most probably Traps will stop it from happening. I made a short video to demo Traps preventing an endpoint from being exploited by a vuln. in Adobe Flash just to give an idea.

Traps - Advanced Endpoint Protection by Palo Alto Networks - YouTube

One of the key advantages of Traps is that it does not require any remediation after prevention, although the malicious files should get deleted/quarantined on the endpoint once a legacy AV solution has a signature....

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!