This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About thinson
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About thinson
06-16-2021
21Posts
4Likes
1Solution
Jun 16, 2021Last Visited
User
Activity
User
Profile
Latest posts by thinson
| Subject | Views | Posted |
|---|---|---|
| 3570 | 04-27-2018 05:44 AM | |
| 3580 | 04-26-2018 08:48 AM | |
| 1988 | 04-02-2018 07:17 AM | |
| 2558 | 03-12-2018 05:07 AM | |
| 3279 | 03-12-2018 04:55 AM | |
| 3573 | 01-10-2018 07:07 AM | |
| 3581 | 01-09-2018 11:43 AM | |
| 5316 | 01-04-2018 08:28 AM | |
| 5529 | 01-04-2018 04:56 AM | |
| 2495 | 12-21-2017 07:31 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-12-2018 04:55 AM | |
| 1 Like | 08-15-2017 06:38 AM | |
| 1 Like | 01-04-2018 08:28 AM | |
| 1 Like | 11-27-2017 11:32 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 11-03-2016 07:13 AM |
| Date Last Visited | 06-16-2021 10:52 PM |
| Posts | 21 |
| Total Likes Received | 4 |
04-27-2018
05:44 AM
Here is a link to the info on DBCONFIG tool: https://live.paloaltonetworks.com/t5/Endpoint-Articles/How-to-Use-the-DBconfig-Tool-in-Traps/ta-p/65876 The specific info on how to configure Traps to not register as the system AV with Security Center is not listed there. My notes say that the command is "dbconfig server SecurityCenterEnabled false". It sure wouldnt hurt to open a ticket with support and verify that this is still correct and that you understand the impact. Hope this helps!
... View more
04-26-2018
08:48 AM
Starting in v4 Traps started registering with Microsoft Security Center as the AV and Defender would be disabled. You can change this behavior if you desire to keep running Defender in tandem with Traps. It requires a change on the Traps ESM server using the DBCONFIG tool. There may be a KB entry on the support side or you might just want to open a ticket with support and request guidance.
... View more
04-02-2018
07:17 AM
The 4.1.3 version has some improved ransomware detection capabilities in it. I imagine once the process hit the decoy files it would be stopped from further damage. There are several variants of SamSam and I am sure that Wildfire has malicious verdicts for many of the artifacts. If you are a member of an information sharing group or subscribe to a threat intel subscription you may be able to obtain some IOC's for this particular strain. You could check some of those hash values in Wildfire to see what the verdicts are.
... View more
03-12-2018
05:07 AM
I do not know the answer to your question but I imagine a call to support can help. I did want to mention that our Traps engineer who helped us with our deployment recommended we NOT enable the quarantine option and I believe that was partially due to this issue. I remember him saying that they restore options were not always straight forward and that Traps was going to block execution anyway, might as well leave the file where it is.
... View more
03-12-2018
04:55 AM
1 Kudo
We are planning to deploy Traps to our Exchange servers. I know that traditional AV can wreak havok on Exchange servers if they do not have scan exclusions. I also know that Traps is much different in it's method or providing protection. Does anyone in the community have any experience running Traps on an Exchange server? If you do I would love to hear your feedback as to performance and any policy tuning you may have done. Thanks!
... View more
01-10-2018
07:07 AM
Not sure what configuration aspects you are refering to? There is nothing that needs to be done on the Traps side other than specifiying to use SSL. As long as the agents and servers are using those certs and trust the root...all is well and should work.
... View more
01-09-2018
11:43 AM
We use internal certs generated from our PKI. You want to have a cert issued with the following intended purposes: client authentication and Server Authentication. Of course make sure your root certs are trusted on the ESM servers and all the agents.
... View more
01-04-2018
08:28 AM
1 Kudo
I have asked our Traps account team and they are working on getting an answer. I'll be sure to update the thread if I hear anything.
... View more
01-04-2018
04:56 AM
Same questions for running Traps 4.0.4
... View more
12-21-2017
07:31 AM
Traps does not have the capability to isolate the computer. You would need to employ another tool to do that. Something like Forescout, Tanium or CarbonBlack Response. If you are using the Palo firewall you could have the impacted host added a dynamic group that has restricted internet access.
... View more
12-20-2017
05:55 AM
The information about the files created for the Anti-Ransomware module was shared in the Traps 4.1 documentation under new features. Palo is rapidly adding new features to Traps so I highly advise you review that section of the documentation before you upgrade. If you have the resources for a UA environment where you can keep several handfuls of production machines that will help as well. https://www.paloaltonetworks.com/documentation/41/endpoint/newfeaturesguide/security-features/anti-ransomware-protection#id177CFA0L0Y4
... View more
12-20-2017
04:53 AM
I do not think there is a way to use Traps to deploy files. Traps can deploy an upgrade for an agent and content updates. That's about it.
... View more
11-28-2017
06:54 AM
Contact support. There is a method for adding your own certs to trust. It's nothing you can do through the GUI.
... View more
11-27-2017
11:35 AM
Followed that article to the "T" and both my UA and PROD upgrades went without a hitch from 4.0.3 to 4.0.4. Thanks for sharing that link!
... View more
11-27-2017
11:32 AM
1 Kudo
We use the XML format so that we can force the malware verdict. When we deployed Traps we had the assistance of a Traps PSE. He wrote a short powershell script that will take a txt file of SHA256 hashes and convert them into an XML file that you can then import. This works in 3.4.X and 4.0.X. # This script reads a text file of SHA256 hashes and creates an XML for importing
# into the Traps ESM Policies > Hash Control page. If these are imported
# 'with verdict', they will appear as "Hash Control" verdicts of "Malware"
# -------- VARIABLES -----------
# Process name to apply to each hash import
$ImportAsName = "ImportedProcessHash.exe"
# Text file/path of SHA256 hashes to build XML from
$HashStringsFile = ($PSScriptRoot) + "\Hashes.txt"
# File name/path for resulting import XML file
$TrapsImportFile = ($PSScriptRoot) + "\TrapsHashImports.xml"
Write-Host "Creating $TrapsImportFile"
# get an XMLTextWriter to create the XML
$XmlWriter = New-Object System.XMl.XmlTextWriter($TrapsImportFile,$Null)
# choose a pretty formatting:
$xmlWriter.Formatting = 'Indented'
$xmlWriter.Indentation = 1
$XmlWriter.IndentChar = "`t"
# write the header
$xmlWriter.WriteStartDocument()
# create root element "machines" and add some attributes to it
$XmlWriter.WriteComment('Hashes to Import')
$xmlWriter.WriteStartElement('ArrayOfHashProcessItem')
$XmlWriter.WriteAttributeString('xmlns', 'http://schemas.datacontract.org/2004/07/Cyvera.Common.Interfaces.Policy')
$XmlWriter.WriteAttributeString('xmlns:i', 'http://www.w3.org/2001/XMLSchema-instance')
# Read hashes text file and add XML data for each
$Hashes = ((get-content $HashStringsFile) | Sort-Object)
$Hashes | ForEach-Object {
# Create element HashProcessItem node
$xmlWriter.WriteStartElement('HashProcessItem')
#$XmlWriter.WriteAttributeString('test', 'something')
# Add pieces of information:
$xmlWriter.WriteElementString('FileSizeMb','0')
$xmlWriter.WriteElementString('Hash',$_)
$xmlWriter.WriteElementString('ProcessName',$ImportAsName)
$xmlWriter.WriteElementString('Result','Malware')
$xmlWriter.WriteElementString('Type','Unprotected')
# Close HashProcessItem node
$xmlWriter.WriteEndElement()
}
# Close ArrayOfHashProcessItem node
$xmlWriter.WriteEndElement()
# finalize the document:
$xmlWriter.WriteEndDocument()
$xmlWriter.Flush()
$xmlWriter.Close()
notepad $TrapsImportFile
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-16-2021
10:52 PM
|
Latest Tags
No tags yet
Likes Given To
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks