Entrap ePO Module

Prevent zero day exploits and reduce the need for signature updates
As new threat variants, attacks, and actors appear on a daily basis, even sophisticated enterprises have difficulty getting insight into these newly developed techniques and players.
Entrap brings the ability to operate as both an active Windows service for 24/7 protection and as a deployable executable for specific forensic characterization tasks. It provides the highest levels of protection for today’s threats and the ability to block and/or quickly respond to those of the future. The Entrap solution is designed to address the malware detection and characterization functional gap identified within the U.S. Air Force computer emergency response team.

Process API Behavior

Entrap is an intrusion prevention and malware characterization security solution applied in the kernel space of the Windows Operating System. It can operate as both an active Windows service for 24/7 protection and/or as a deployable executable for specific forensic malware characterization tasks.
In Active Mode, Entrap provides intrusion prevent system capabilities based on the processes API behavior. This mode can deny the process to call the API, kill the thread or process making the suspicious call. In Passive Mode, Entrap will provides API logging but does not interfere with the process. This mode is used to provide a log for incident responders to quickly ascertain or characterize unknown or malicious processes intent. Entrap leverages advanced malware detection techniques to provide a breadth of security beyond that provided by Windows services.

ePolicy Orchestrator (ePO) Deployment and Customization
Use ePO to deploy new API behavioral rules based on the forensic analysis. The safeguards will be deployed to the rest of the enterprise as an active mode API behavioral rule. For example, in the event a machine is exploited, these integrated logs are immediately available to quickly analyze the malware’s behavior. The information from the logs allows a new behavioral rule set to be created and deployed to protect the entire enterprise.

Manage Entrap generated events in ePO
The integration points between Entrap and ePO are the McAfee Agent for Windows and Registered Server APIs. Defenders receive Entrap security alerts from Windows OS endpoints to drive faster remediation and policy enforcement.

Entrap rules have been optimized for the USAF standard desktop configuration (SDC) on ePO-managed assets. This minimizes potential false positives. Enable forensic analysis on assets managed by ePO. In Passive Mode, API call information can be used by internal incident responders as part of forensic analysis or detecting indicators of compromise (IoC).