Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us
About this Guide
This guide describes the initial installation and basic set up of a new Palo Alto Networks Endpoint Security Manager
and Traps. Topics covered include prerequisites, best practices, and procedures for installing and managing Traps on the
endpoints in your organization.
For additional information, refer to the following resources:
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to
https://www.paloaltonetworks.com/documentation
.
For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com
.
For contacting support, for information on support programs, to manage your account or devices, or to open a
support case, refer to
https://www.paloaltonetworks.com/support/tabs/overview.html
.
For the most current PAN-OS 7.0 release notes, see
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes.html
.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com
.
Palo Alto Networks, Inc. www.paloaltonetworks.com
The following topics describe how to manage the endpoints using the Endpoint Security Manager. It includes
the following topics:
Manage Traps Action Rules
Use action rules to perform one-time actions on the Traps agent that runs on each endpoint.
Add a New Action Rule
Manage Data Collected by Traps Shut Down or Suspend EPM Protection Uninstall or Upgrade Traps on the Endpoint
Update or Revoke the Traps License on the Endpoint
Add a New Action Rule
For each action rule, you can specify the organizational object(s), condition(s), and action(s) to take on each
endpoint.
Add a New Action Rule
Step 1 Launch the Action Wizard. Select Manage > Add Action.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the objects.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Action Wizard and the Conditions page will be displayed. Any changes you made in the Action Wizard will be discarded.
Manage Data Collected by Traps
Use the Action Wizard to perform the following actions for data files that Traps creates on the endpoint:
Step 4 Select the type of task you want toperform.
Select one of the following from the Tasks drop-down, and then
configure the settings according to the type of restriction:
• Agent Data— For more information, see Manage Data Collected
by Traps.
• Agent Service— For more information, see Shut Down or
Suspend EPM Protection.
• Agent Installation— For more information, see Uninstall or
Upgrade Traps on the Endpoint.
• Agent License— For more information, see Update or Revoke
the Traps License on the Endpoint.
Step 5 Define the restriction rule. 1. Review the details in the action summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there
you can Delete or Suspend the rule, as required.
Action Description
Clear History Each endpoint stores a history of the security preventions. Select this option to clear
historical data files from displaying in the Traps console.
Erase Memory Dumps Memory dumps are records of the contents of system memory when a prevention
event occurs. Select this option to erase the system memory records on the target objects.
Erase Quarantined Files When the security event occurs on an endpoint, Traps captures memory dumps and
recent files associated with the event and stores them in the quarantine folder on the endpoint. Select this option to delete the files associated with the security event from the target objects.
Retrieve Data that the Agent Collects
Traps collects security event history, memory dumps, and other information associated with a security event. Select this option to retrieve all the information saved from all events that occurred on the endpoint. After this rule runs, the Traps agent sends all the data related to the prevention, including a memory dump of the protected process, to the designated quarantine folder.
Retrieve Logs that the Agent Collects
Traps collects detailed application trace logs and stores information about processes and applications that run on the endpoint. Use the log file to debug an issue with an application or investigate a specific problem that writes to the log. Selecting this option creates an action rule to retrieve all the application trace information for an endpoint. After this rule runs, the Traps agent sends all the logs to the designated quarantine folder.
Manage Data that Traps Collects
Step 1 Launch the Action Wizard. Select Manage > Add Action.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Action Wizard and the Conditions page will be displayed. Any changes you made in the Action Wizard will be discarded.
Shut Down or Suspend EPM Protection
If a security policy interferes with a legitimate application, you can temporarily suspend or shut down
Exploitation Prevention Module (EPM) injection on an endpoint. For endpoints running Traps version 3.1 or
later, Traps will not inject the EPMs into processes while the rule is active but will still send notifications about
security events.
After completing the necessary task, we recommend that you analyze the event and define a security rule that
is specific to this application and then enable EPM protection. In the case of EPM suspension, the rule
automatically enables EPM protection after the specified duration lapses. In the case of EPM shutdown, you
must manually restart the endpoint to start the Traps service on the endpoint and re-enable EPM protection.
Step 4 Define the tasks to carry out on the Traps data stored on the endpoints.
1. Select Agent Data from the Tasks drop-down.
2. Select one or more of the options to manage agent data.
3. Click Next.
Step 5 Define the action rule. 1. Review the details in the action summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there,
you can Delete or Suspend the rule, as required.
Shut Down or Suspend EPM Protection
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The endpoint security manager queries
active directory To Find the Objects. All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Action Wizard and the Conditions page will be displayed. Any changes you made in the Action Wizard will be discarded.
2. Click Next.
Step 4 Suspend or shut down EPM protection. 1. Select Agent Service from the Tasks drop-down and then
select one of the following actions:
• To temporarily suspend injection of security modules, select
Suspend Protection For and specify the duration in minutes
from the drop-down, either 10, 30, 60, or 180 minutes.
• To disable injection of security modules for the life of the
action rule, select Shutdown Protection.
2. Click Next.
Step 5 Define the action rule. 1. Review the details in the action summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there,
Uninstall or Upgrade Traps on the Endpoint
Use the Action Wizard to perform the following actions for Traps on the endpoint:
Uninstall Traps from the target objects.
Upgrade Traps using software that you upload to the ESM Server.
Uninstall or Upgrade Traps on the EndpointStep 1 Launch the Action Wizard. Select Manage > Add Action.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Action Wizard and the Conditions page will be displayed. Any changes you made in the Action Wizard will be discarded.
2. Click Next.
Step 4 Define the tasks to carry out on Traps on the endpoints.
1. Select Agent Installation from the Tasks drop-down and then
select one of the following actions:
• Uninstall
• Upgrade from path—Browse to the installation ZIP file, and
then click Upload.
Update or Revoke the Traps License on the Endpoint
Use the Action Wizard to update or revoke a license from the Traps service running on an endpoint. Revoking
a license enables you to reallocate a license to another endpoint. After you revoke a license, Traps will not protect
the endpoint. Use the update option to replace a license on the endpoint and resume Traps service.
Step 5 Define the action rule. 1. Review the details in the action summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there,
you can Delete or Suspend the rule, as required.
Update or Revoke the Traps License on the Endpoint
Step 1 Launch the Action Wizard. Select Manage > Add Action.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Action Wizard and the Conditions page will be displayed. Any changes you made in the Action Wizard will be discarded.
2. Click Next.
Step 4 Define the tasks to carry out on the Traps license on the endpoints.
1. Select Agent License from the Tasks drop-down and then
select one of the following actions:
• Update
• Revoke
2. Click Next.
Step 5 Define the action rule. 1. Review the details in the action summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there,
Manage Agent Settings Rules
Use agent settings rules to change preferences relating to Traps from a central location.
Add a New Agent Settings Rule Define Memory Dump Preferences Define Event Logging Preferences
Hide or Restrict Access to the Traps Console
Define Communication Settings Between the Endpoint and the ESM Server Collect New Process Information
Manage Service Protection Change the Uninstall Password
Add a New Agent Settings Rule
For each agent settings rule, you can specify the organizational object(s), condition(s), and Traps preferences to
apply.
Add a New Agent Settings Rule
Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
2. Click Next.
Step 4 Select the type of preference you want to change.
Select one of the following, and then configure the settings according to the type of preference:
• Memory Dump—For more information, see Define Memory
Dump Preferences.
• Event Logging—For more information, see Define Event
Logging Preferences.
• User Visibility & Access—For more information, see Hide or
Restrict Access to the Traps Console.
• Heartbeat Settings—For more information, see Define
Communication Settings Between the Endpoint and the ESM Server.
• Process Management—For more information, see Collect New
Process Information.
• Service Protection—For more information, see Manage Service
Protection.
• Agent Security—For more information, see Change the
Uninstall Password.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Define Memory Dump Preferences
When an application crashes or terminates abnormally, the endpoint records information about the event
including the contents of memory locations and other related details in what is known as a memory dump. By
default, the information is saved to a system log file on the endpoint and is useful in diagnosing and debugging
a crash event. Create an agent settings rule to determine how Traps manages process-related memory dumps.
The rule settings allow you to specify if you want to send memory dumps automatically to the forensic folder
or change the size of the memory dump, either small, medium, or full (the largest and most complete set of
information).
Define Memory Dump Preferences
Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
Define Event Logging Preferences
The Windows Event Log stores application, security, and system events that can help you diagnose the source
of system problems. Use the Agent Settings Wizard to specify whether or not to send security events that Traps
encounters to the Windows Event Log and to set a size quota for the temporary local storage folder that Traps
uses to store the event information.
Step 4 Define where Traps stores memory dumps in the event of a prevention event.
1. Select Memory Dump from the Agent Settings drop-down and
then select one of the following preferences:
• Automatically send the memory dumps to the server by
selecting Send the memory dumps automatically.
• Specify the size of the memory dump file by selecting the
Memory dump size option and then selecting Small, Medium, or Full from the drop-down.
2. Select one or more applications. Traps will apply the setting to the selected applications.
3. Click Next.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Define Event Logging Preferences
Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
Hide or Restrict Access to the Traps Console
By default, a user can access the Traps console to view information about the current status of the endpoint,
security events, and changes to the security policy. When a security event is triggered, the user also receives a
notification about the event including the application name, publisher, and a description of the exploit
prevention or restriction rule that triggered the notification.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
2. Click Next.
Step 4 Define the event logging settings for the endpoints.
1. Select Event Logging from the Agent Settings drop-down.
2. Perform one or more of the following actions:
• Select the Set disk quota (MB) option to specify the size of
the temporary local storage folder that Traps will use to store event logs. Specify the quota amount in MB. The default is 1000 MB (10 GB). The maximum is 10,000,000 MB (10 TB).
• Select the Write agent events in the Windows event log
option to send the Traps events to the Windows Event Log.
3. Click Next.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
You can create an agent settings rule to change the accessibility of the console and specify whether or not to
hide notifications from the user.
Hide or Restrict Access to the Traps Console
Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
Define Communication Settings Between the Endpoint and the ESM Server
On a regular basis, the endpoint communicates with the Endpoint Security Manager by sending heartbeat
messages and reports to the ESM Server. During the heartbeat communication, the Traps agent requests the
current security policy and sends a response to the Endpoint Security Manager to report the status of the
endpoint. The frequency at which the Traps agent sends heartbeat messages to the ESM Server is called the
heartbeat cycle. The optimal frequency is determined according to the number of endpoints in the organization
and the typical network load. The default heartbeat period is 5 minutes.
The Traps agent also reports changes in service including starts, stops, and crash events and processes
discovered on the endpoint. The frequency at which the Traps agent sends report notifications is called the
reports interval.
Step 4 Define the user visibility and access settings for the endpoints.
1. Select User Availability & Access from the Agent Settings
drop-down.
2. Select one or more of the following options:
• Hide tray icon—Installing Traps on an endpoint adds an
icon to the notification area (system tray) by default. Use this option to hide the tray icon on the endpoint.
• Disable the user’s access to the Traps user interface—By
default, the user can access the Traps console by launching it from the system tray. Use this option to disable the ability to launch the console.
• Hide Traps user notifications—When the Traps agent
encounters a prevention event, the users sees a notification message describing the event. Use this option to hide notifications.
3. Click Next.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Define Communication Settings Between the Endpoint and the ESM Server
Step 1 Launch the Agent Settings Wizard. Select > .
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
2. Click Next.
Step 4 Define the heartbeat cycle for the endpoints.
1. Select Heartbeat Settings from the Agent Settings
drop-down.
2. Select one or more of the following options:
• Set distinct heartbeat cycle—Specify the frequency in
either Hours, Minutes, or Days.
• Set send reports interval—Specify the frequency in either Hours, Minutes, or Days.
3. Click Next.
Collect New Process Information
By collecting new process information from the endpoint, you can analyze whether or not to create security
rules. By default, the Traps agent does not collect information on new processes. You can configure Traps to
report every process that runs on an endpoint to the Endpoint Security Manager by enabling the
Process Managementsetting. The Process Management page displays all manually added or automatically discovered
processes.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there
you can Delete, Deactivate, or Edit the rule, as required.
Collect New Process Information
Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
2. Click Next.
Step 4 Enable the collection of new processes on the endpoints.
1. Select Process Management from the Agent Settings
drop-down.
2. Select the Collect new process information check box.
The new processes will appear on the Process Management page as unprotected processes. Define rules to protect the new processes, as required.
3. Click Next.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there
Manage Service Protection
Service protection allows you to protect the Traps service running on your endpoints. When service protection
is enabled, users cannot change registry values or files associated with the Traps, or stop or modify the Traps
service in any way.
Manage Service Protection
Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
2. Click Next.
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
2. Click Next.
Step 4 Enable service protection. 1. Select Service Protection from the Agent Settings drop-down.
2. Select Enable service protection or Disable service protection.
Change the Uninstall Password
By default, you must enter the uninstall password specified during installation to uninstall Traps from an
endpoint. Change the default password by creating an agent settings rule.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there
you can Delete, Deactivate, or Edit the rule, as required.
Change the Uninstall Password
Step 1 Launch the Agent Settings Wizard. Select Manage > Add Agent Settings.
Step 2 Define the target objects to which to apply the restriction rule.
1. Select one of the following options:
• Selected objects from the list. In the Include or Exclude
sections, enter one or more Users, Groups, Computers, or Existing endpoints. The Endpoint Security Manager queries
Active Directory to verify the users, groups, or computers or identifies existing endpoints from previous communication messages.
• All objects
Step 3 (Optional) Add conditions to the rule. 1. Do one of the following:
• Add a preexisting condition from the list on the left-hand
side of the page. Select the condition in the Conditions list and click Add. The condition is added to the Selected
conditions list on the right-hand side of the page. Repeat to add more conditions, if desired.
• Add a new condition. Click to launch the new condition wizard and then follow the instructions in Define Activation Conditions for a Rule.
If you choose to define a new condition, you will exit the Agent Settings Wizard and the Conditions page will be displayed. Any changes you made in the Agent Settings Wizard will be discarded.
2. Click Next.
Step 4 Change the password. 1. Select Agent Security from the drop-down. Select the Set uninstall password check box.
2. Enter the password that the user or administrator will have to enter to uninstall Traps. The password must be at least 8 characters long.
3. Click Next.
Step 5 Define the agent settings rule. 1. Review the details in the agent settings summary, then Enter the rule name and Enter the rule description.
2. Click one of the following actions.
• Discard—Cancel without saving any changes to the rule.
Navigating away from the page also discards any changes.
• Save & Apply—Save and apply the rule.
• Save—Save the rule. To activate the rule at a later time, select
the rule from the Manage > Overview page and then click Activate.
Saved rules appear on the Manage > Overview page. From there