Existing endpoint security approaches that rely on malware identification can’t prevent sophisticated zero-day attacks because they don’t identify and utilize known malicious signatures, strings, or behaviors. As a result, compromised endpoints must await detection and remediation.
Our Advanced Endpoint Protection solution,Traps, takes a different approach that prevents advanced attacks originating from executables, data files, or network-based exploits—both known and unknown—before malicious activity can cause harm to the endpoints in your organization.
Here are some of the exciting new features in Traps 3.2, which we officially announced this week, as well as technical resources to help you learn more about Advanced Endpoint Protection.
New and Improved Protection Modules
Our unique focus on exploit and malware technique prevention is the center of our Advanced Endpoint Protection solution, intercepting the attacker at the core of the attack and preventing patient zero. While preventing just one technique would thwart the entire threat, our team continues to develop new prevention modules to prepare for the unthinkable, adding four more modules to the long list of inimitable protection.
Unknown Executable Upload to WildFire
This feature bridges the gap between endpoint and network security intelligence by enabling you to automatically submit unknown executable files from the ESM (Endpoint Security Manager) to WildFire for further analysis.
For more information, see Unknown File Submission to WildFire.
Hash Control, Local Override of WildFire Verdicts
A powerful feature that gives the administrator the ability to import local hashes in the ESM and control the global verdicts on their local network, without impacting the global WildFire verdict.
For more information, see Local Override of WildFire Decisions.
Improvements in scalability and speed enable the Advanced Endpoint Protection solution to support large deployments, with extended support for 50K Traps agents per ESM and multiple ESM Server support.
For more information, see Multi-ESM Support.
Want to apply execution restrictions on your endpoints but fear it will limit your work process? You can now configure restriction whitelists to control your global policies more granularly and to increase business flexibility without the security risk.
For more information, see Global Whitelist Functionality.
WildFire Inspection Reports
To provide greater clarity into WildFire hash verdicts, you can now view reports for any executable file that WildFire has previously analyzed. The WildFire report, which is available in PDF format, includes information that you can use to further analyze and manage a WildFire verdict.
For more information, see View WildFire Reports.
Automated Security Event Analysis
Traps prevention kicked in and you want to know more? This forensic feature provides secondary analysis of a Traps security event, by automatically analyzing the memory records to extract data and scan for traces of malicious activity, such as Heap Spray and ROP chains.
For more information, see Forensics Overview.
Customizable Prevention and Notification Pop-Ups
You can now customize the title, footer, and display image for prevention and notification pop-ups that Traps displays when a security event occurs on the endpoint. Traps displays prevention messages when a file or process violates a security policy and the termination behavior is configured to block the file. Traps displays notification messages when the notify behavior is configured to alert the user.
The Traps Console is available in 7 languages; English, German, French, Spanish, Japanese, Chinese Simplified, and Chinese Traditional.
For more information, see Traps Localization.
Traps is one of the few products that can protect all applications across nearly every Windows-based platform, both virtual and physical, and even those that no longer have continued support. Traps is now also supported on Windows Vista and Windows Server 2008 and on non-English Windows Operating Systems.
For more information, see Supported Traps Installations.
Improved Syslog and SIEM integrations
You can now integrate your Syslog server with Splunk, a third-party monitoring tool, which you can use to analyze log data. Find the Palo Alto Networks Splunk app that now supports Traps athttps://apps.splunk.com/app/491/.
Here are a few resources to add to your Advanced Endpoint Protection 3.2 reading list!
- New Features Guide: Your go-to resource for all the new features in 3.2.
- Administrator’s Guide: Contains installation procedures and configuration workflows to get you up and running quickly.
- Release Notes: Provides important information about the Advanced Endpoint Protection 3.2 software including known issues and limitations.
Pro tip: On the documentation search, use the OS Version > 3.2 facet to filter results for only documentation about Advanced Endpoint Protection 3.2.
[Palo Alto Networks Blog]