PALO ALTO TRAPS
Advanced Endpoint Protection
Advanced Endpoint Protection
Palo Alto Networks Traps™ advanced endpoint protection stops threats on the endpoint and coordinates enforcement with cloud and network security to prevent successful cyberattacks. As a lightweight agent, Traps minimizes endpoint infections by blocking malware, exploits and ransomware. It can be used for Windows®, macOS®, Android® and Linux operating systems, and can be managed on-premises or from the cloud.
Multiple methods of malware prevention
Traps prevents the execution of malicious files with an approach tailored to combat both traditional and modern attacks. Additionally, administrators can utilize periodic scanning to identify dormant threats, comply with regulatory requirements and accelerate incident response with endpoint context.
Traps leverages the intelligence obtained from tens of thousands of subscribers to the WildFire malware prevention service to continuously aggregate threat data and maintain the collective immunity of all users across endpoints, networks and cloud applications. Traps queries WildFire, and WildFire returns a near-instantaneous verdict on whether the file is malicious or benign. If the file is unknown, Traps proceeds with additional prevention techniques to determine whether it is a threat that should be terminated.
Local analysis via machine learning
If a file remains unknown after the initial hash lookup and has not been identified by administrators, Traps uses local analysis via machine learning on the endpoint – trained by the rich threat intelligence of WildFire – to determine whether the file can run, even before receiving a verdict from the deeper WildFire inspection.reat that should be terminated.
In addition to local analysis, Traps sends unknown files to WildFire for discovery and deeper analysis to rapidly detect potentially unknown malware. WildFire uses independent techniques for high-fidelity and evasion-resistant discovery. These are:
Malicious process prevention
Traps prevents script-based and fileless attacks by default with out-of-the-box, fine-grained controls over the launching of legitimate applications, such as script engines and command shells.
In addition to existing multi-method prevention measures, including exploit prevention, local analysis and WildFire, Traps monitors the system for ransomware behavior. Upon detection, it immediately blocks attacks and prevents encryption of customer data.
Multiple methods of exploit prevention
Traps is unique for its ability to prevent exploits through technique identification and a protection focused model. Traps targets the techniques that any exploit-based attack must use to manipulate a software vulnerability.
By preventing these techniques, Traps is able to protect unpatched systems, unsupported legacy systems, applications IT is unaware of – commonly known as shadow IT – and never-before-seen exploits, also called zero-day exploits.
Traps delivers exploit prevention using multiple methods, including:
- Pre-exploit protection: Traps prevents the vulnerability-profiling techniques exploit kits use prior to launching attacks. By blocking these techniques, Traps prevents attackers from targeting vulnerable endpoints and applications, effectively preventing the attacks before they begin.
- Technique-based exploit prevention: Traps prevents known, zero-day and unpatched vulnerabilities by blocking the exploitation techniques attackers use to manipulate applications.
- Kernel exploit prevention: Traps prevents exploits that leverage vulnerabilities in the operating system kernel to create processes with escalated privileges. Traps also protects against new exploit techniques used to execute malicious payloads, such as those seen in 2017’s WannaCry and NotPetya attacks.
By blocking the techniques, Traps provides customers three important benefits:
- Protects unpatchable applications and shadow IT.
- Minimizes the risks associated with delayed patching.
- Prevents zero-day exploits from succeeding.
Besides malware and exploit prevention, Traps is also capable of:
- Scanning: Administrators can scan endpoints and attached removable drives for dormant malware, with an option to automatically quarantine it for remediation when found.
- Admin override policies: Traps enables organizations to define policies based on the hash of an executable file, controlling what is or isn’t allowed to run in their environments.
- Malware quarantine: Traps is capable of immediately quarantining malicious executable files, DLLs and Office files to prevent propagation or execution attempts of infected files.
- Grayware classification: Traps enables organizations to identify non-malicious but otherwise undesirable software, such as adware, and prevent it from running in their environments.
- Execution restrictions: Traps enables organizations to easily define policies to restrict specific execution scenarios to reduce the attack surface of any environment.