Addressed Issues in Traps Agent 5.0 - Release Notes - 5.0 - Cortex XDR - Cortex XDR Agent - Advanced Endpoint Protection - Cortex - Security Operations

Traps Agent Release Notes

Product
Cortex XDR
Cortex XDR Agent
Version
5.0
Creation date
2022-09-01
Last date published
2023-06-26
Category
Release Notes

Addressed Issues in Traps Agent 5.0.12-hotfix

The following has been addressed in this release for build number:

Windows - 5.0.12.65273

Issue ID

Description

CPATR-17434

Moved the Generate Support File function from the agent home screen to a cytool command.

Addressed Issues in Traps Agent 5.0.12-hotfix

The following has been addressed in this release for build number:

Windows - 5.0.12.40819

Issue ID

Description

CPATR-12633

(Windows)

Fixed security issues.

CPATR-13405

(Windows)

Fixed security issue.

CPATR-14895

Fixed an issue where Cortex XDR agents running without trusting certificates “GlobalSign Root CA” may encounter issues downloading upgrade packages and content updates, and may also affect large scans verdict retrieval.

CPATR-13408

(Windows)

Fixed security issue.

CPATR-13480

(Windows)

Fixed security issue.

Addressed Issues in Traps Agent 5.0.12

Issue ID

Description

CPATR-13480, CPATR-13408, CPATR-13405, CPATR-12633

Addressed security issues.

Addressed Issues in Traps Agent 5.0.11

Issue ID

Description

CPATR-12649, CPATR-11311

Fixed an issue where the agent did not detect the existence of a macro within a Microsoft Office document.

CPATR-12507, CPATR-11927

Addressed security issues.

CPATR-12009

Fixed an issue where the agent did not analyze the macro content within a Microsoft Office document.

CPATR-10687

Fixed an issue where the agent did not report post detection events of Microsoft Office files with macros to the management server.

Note

In case of post detection events of Office file with macros, the agent does not terminate the source process regardless of the applied Malware Profile.

Addressed Issues in Traps Agent 5.0.10

Issue ID

Description

CPATR-10427

On Windows endpoints, fixed an issue where the agent displayed a notification about quarantined files even though the agent was configured to hide the notification.

CPATR-9871

Addressed security issues.

Addressed Issues in Traps Agent 5.0.9

There are no addressed issues in this release.

Addressed Issues in Traps Agent 5.0.8

Issue ID

Description

CPATR-7900

Fixed an issue that occurred after a malware scan completed where Traps reported duplicate scan completion events to Traps management service.

CPATR-7853

Fixed an issue on Windows VDI where Traps could not generate a Tech Support File if you used Roaming User Profiles.

CPATR-7839

Fixed an issue where the Traps console displayed a disabled status when policy was enabled.

CPATR-7609

Fixed an issue on Windows Server 2003 SP2 where Traps failed to detect user proxy settings. when the settings are defined for a local administrator account.

CPATR-7465

Fixed a high CPU consumption issue on endpoints running Windows XP.

CPATR-7050

Fixed an issue where the Traps agent console reported the agent was Connecting instead of Disabled after Exploit and Malware policies were disabled through the Traps management service.

CPATR-6892

Fixed a performance issue that occurred when Traps attempted to examine a corrupt document.

CPATR-6464

Fixed an issue where Traps displays the status of the agent as Connecting instead of Unlicensed when an unlicensed agent attempted to connect to Traps management service.

Addressed Issues in Traps Agent 5.0.7

Issue ID

Description

CPA-6123

Fixed an issue on Windows 10 endpoints that had AuditMicrosoftSignedOnly mitigation enabled where Traps injection caused services that have a load timeout (such as svchost.exe) to halt abruptly.

CPA-6084

Fixed an issue on Windows endpoints where an endpoint scan could not complete due to a corrupted Object Linking and Embedding (OLE) file.

CPA-6015

Fixed an issue with error handling on Windows endpoints where, in rare cases, Traps changed the Last Error value.

CPA-5985

Fixed an issue on Windows 8 and Windows Server 2012 and later endpoints where if you used Offloaded Data Transfers (ODX), you experienced slowness copying and moving files between Intelligent Storage Arrays (ISAs). Now, you can copy and move files without experiencing any degradation in performance.

CPA-5933

When you use a GPO to deploy Traps on Windows endpoints, assigning the policy to Active Directory users (instead of computers) causes subsequent attempts to uninstall or upgrade the Traps agents to fail. To ensure upgrades and uninstalls succeed, verify that the GPO command line does not include the ALLUSERS parameter (with any values).

CPA-5816

Fixed an issue which caused high CPU utilization on Windows endpoints due to gRPC.

CPA-5733

Fixed an issue where the Traps management service sent updates to Traps agents without the distribution ID, causing the agents to become disconnected.

CPA-5161

Fixed an issue where TLAService—which is primarily responsible for the Traps local analysis module—failed to initialize when the system account specified in the %TMP% environment variable was not reachable.

CPA-4725

Fixed an issue where periodic scanning caused the file streaming mechanisms of Microsoft OneDrive and Google Drive to sync locally, which resulted in high local disk space consumption for files that should have been stored in the cloud.

CPA-4724

Fixed an issue where some Traps EPMs raised a security event for processes that were whitelisted instead of allowing them to run.

CPA-3358

Fixed an issue on Windows endpoints, where the Traps management service prevented the completion of Microsoft Office application crash recovery.

Addressed Issues in Traps Agent 5.0.6

Issue ID

Description

CPA-4937

Fixed an issue with error handling where multiple attempts to load Traps DLLs caused failures during the process initialization flow which resulted in a prevention or halted a Traps process.

CPA-4904

Fixed an issue that occurred when Symantec Endpoint Protection was installed in parallel with Traps where the lsass.exe process halted suddenly and caused the endpoint to enter a reboot loop.

CPA-4861

Fixed an issue where the DLL Security module raised a security event when a DLL on a stackwalk whitelist was also specified on a blacklist. Now, the whitelist takes precedence over the blacklist.

CPA-4813

Fixed an issue on Linux endpoints that caused Traps installation to fail when the logic used to determine the hostname of the endpoint did not match the actual hostname.

CPA-4741

Fixed an issue on Windows endpoints where the Traps agent would be deactivated when the default policy file was found empty thereby preventing additional policy updates.

CPA-4675

Fixed an issue where the Traps registry configuration could be overwritten when Traps Tampering Protection was enabled as part of an Agent Settings profile.

CPA-4604

Fixed an issue with the Ransomware Protection module which caused image loading delays with third-party applications.

CPA-4601

Fixed an issue on Linux endpoints where Traps prevented a cron job from running shell scripts due to a compatibility issue with glibc version 2.22.

CPA-4583

Fixed an issue on Linux endpoints where the Shellcode Protection module raised security events when the module identified a return address in a non-executable region of the process. Now, the Shellcode Protection module only raises events when the return address is to an executable region.

CPA-3352

Fixed an issue on endpoints running Windows 10 Insider Preview where the Windows Defender Security Center displayed Virus & threat protection as Unknown and displayed Status unavailable for Traps even though Traps successfully registered with the Security Center and was available.

CPA-3134

Fixed an issue where the local Traps database accepted unreadable data (serialized non-UTF8 strings) which could partially or fully corrupt the local database.

Addressed Issues in Traps Agent 5.0.5

Issue ID

Description

CPA-4485

Fixed an issue on Mac endpoints where Traps reported security events for legitimate processes when the queue of protected processes became obsolete after a period of inactivity and a process ID (PID) was reused. Now, Traps clears the queue of terminated processes at regular intervals to prevent PID reuse.

CPA-4427

Fixed an issue on Windows 10 virtual machines and new installations on macOS 10.14 where the Traps console did not reflect the current protection state on the endpoint when the network was disconnected or immediately following the end of the installation.

CPA-4422

Fixed an issue where Traps did not apply tampering protection to the parent directory of the Traps installation.

CPA-4334

Fixed a performance issue where Traps caused delays opening large files from network shares.

CPA-4232

Fixed an issue on Mac endpoints where Traps did not provide visibility when Traps was not approved as a kernel extension provider and thus caused Traps to operate in incompatible mode. Now, Traps logs an event when the kernel extensions are not enabled so that you can remedy the issue on the endpoint.

CPA-4198

Fixed an issue where the Traps agent experienced delays sending file reports to the Traps management service to obtain the WildFire verdict. Now, the Traps agent sends reports and verdict requests on the next periodic interval even if a security event was triggered in between.

CPA-4129

Fixed an issue on Mac endpoints running macOS 10.14.1 where after installing Traps, the agent started in incompatible mode. This occurred in the following scenarios:

  • Fresh installation on 10.14.1 (or a later release) when Traps was never installed on the endpoint.

  • Traps was previously installed on an endpoint running macOS 10.12.6 or an earlier release and then upgraded to macOS 10.14.1 and then uninstalled. Later, Traps was reinstalled but Traps was not approved as a kernel extension provider.

CPA-3868

Fixed an issue on endpoints running Windows 8 and later releases where Traps incorrectly DLL Security and UASLR exploit protection modules (EPMs) triggered events reported events incorrectly. This was due to a memory mapping issue with the EPMs.

CPA-3780

Fixed an issue where you could not install Traps on a Windows Server 2003 SP2 x86 endpoints when third-party software that injects into similar processes—such as McAfee—was installed.

CPA-3779

Fixed an issue where you could not install Traps on a Windows Server 2003 SP2 x86 endpoints when third-party software that injects into similar processes—such as McAfee—was installed.

CPA-3413

Fixed an issue where the Traps agent reported the old agent version following an upgrade from the Endpoint Security Manager to Traps management service. Now, Traps uses the agent version from cyvera service and not from the registry.

CPA-3287

Fixed an issue that occurred when Traps analyzed an Office file that contained a macro where Traps caused delays in the startup of the process opening the file.

Addressed Issues in Traps Agent 5.0.4

Issue ID

Description

CPA-3850

Fixed an issue where the Actions Tracker on the Traps management service reported that successful agent upgrades had failed. With this fix, Traps agents running 5.0.4 and above will correctly report successful upgrades.

CPA-3833

Fixed an issue that caused delays with Traps startup when a network error occurred on the endpoint.

CPA-3634

Fixed an issue with VDI where after a user logged out and back in, the Traps agent did not re-register with the Traps management service.

CPA-3597

Fixed an issue that occurred after you removed a hash exception from the Traps management service where the Traps agent failed to check in with the Traps management service, and therefore did not obtain the latest policy.

CPA-3555

Fixed an issue on Mac endpoints, where the Traps icon was hidden intermittently in the menu bar following a reboot.

CPA-3497

Fixed an issue on Windows 8.1, Windows 10, Windows Server 2012, and Windows Server 2016 where Sysprep failed and the endpoint could not finish booting when you enabled registry values protection.

CPA-3496

Fixed an issue where some Traps EPMs—such as DLL Security—caused a process to crash if Traps could not analyze opcodes.

CPA-3440

Fixed an issue on Windows endpoints where Traps did not apply policy to Active Directory users and groups.

CPA-3414

Fixed an issue on remote desktop sessions to RDS servers where Traps reported the username of the console user instead of the logged on user with analytics for a file.

CPA-3404

Fixed an issue on virtual machines where Traps reported changes to the unique ID associated with the endpoint resulting in excess license consumption.

CPA-3018

Fixed an issue encountered during scanning where Traps reported file errors for page, swap, and hibernation system files.

CPA-1861

Fixed an issue where the Traps agent took up to five minutes to send changes to endpoint details—such as username, user domain, or hostname—after an endpoint restarted.

CPA-1768

Fixed an issue that occurred when a remote user logged into a Remote Desktop Server, where Traps did not capture the name of the remote user and, as a result, identified the user as undefined in logs.

Addressed Issues in Traps Agent 5.0.3-h1

Issue ID

Description

CPA-3569

Fixed an issue that prevented you from excluding Traps agent traffic via a proxy server from SSL decryption. Now, you can use the agent-user information supplied during the Traps connection request to the server to filter out Traps agent traffic from SSL decryption.

CPA-3554

Fixed an issue that caused high memory consumption on Windows endpoints.

CPA-3548

Fixed an issue on 64-bit Windows endpoints with Traps 5.0 releases earlier than 5.0.3.38921, where memory consumption increased over time due to a leak of native 64-bit processes that are protected by Traps.

CPA-3436

Fixed an issue with the Kernel Escalation Privilege exploit protection module which caused high CPU consumption on Linux endpoints.

Addressed Issues in Traps Agent 5.0.3

Issue ID

Description

CPA-2814

Fixed an issue on Linux endpoints where Traps installation failed when multiple OpenSSL Red-hat Package Manager (RPM) packages were also installed.

Addressed Issues in Traps Agent 5.0.2

Issue ID

Description

CPA-3130

Fixed an issue with identification of VDI in VMWare Horizon View and Hyper-V environments and made general back-end improvements for VDI deployments.

Addressed Issues in Traps Agent 5.0.1

Issue ID

Description

CPA-2723

Fixed an issue in the Traps management service web interface where the Endpoints page did not display the domain name for agents (in the host Name column) after the virtual machines they ran on were shut down.

CPA-2722

Fixed an issue on Windows Server 2003 endpoints where, after you migrated to Traps agent 5.0 from an earlier version, the endpoints could not connect to the Traps management service.

CPA-2697

Fixed an issue where, after you migrated to Traps agent 5.0, the Traps local analysis service consumed all the CPU usage on an endpoint.

CPA-2681

Fixed an issue where clicking Check In Now in the Traps agent console disconnected the agent from the Traps management service after you configured a malware profile with a Parent Process Name that exceeded 250 characters (ProfilesWindows<malware_profile>).

CPA-2679

Fixed an issue where the Traps local analysis service consumed high CPU usage on an endpoint that several users used simultaneously.

CPA-2559

Fixed an issue where the Traps Logs Utility (GetLogsUtilAgent.exe/Getlogsutil.exe) stopped working as soon as you ran it. (The utility is used to collect support logs when the Traps agent stops responding.)

CPA-2525

Fixed an issue where the CLI help for the cytool vdi command displayed the wrong description: Initiate Check-inNow <send heartbeat to server>. With this fix, the command help displays the following description:

> cytool vdi /?
Perform VDI operations
Usage: cytool vdi operation
operation   One of the following:
update   Update Golden Image name in registry

CPA-1942

Fixed an issue that occurred when you first installed the Traps agent where the Traps management service took up to one hour to display the associated content and agent version.

Addressed Issues in Traps Agent 5.0.0

Abstract

Addressed Issues in Traps agent 5.0.0

Issue ID

Description

CPA-2590

Fixed an issue on Windows 10 endpoints where, after you installed the latest Windows update and opened a Windows program, Traps injection caused WoW64 (Windows 32-bit on Windows 64-bit) processes to stop responding.