paloalto Traps doesn’t know about MC Upgrade (yet)

If you are not familiar with Traps, it’s an endpoint protection solution from paloalto:

Traps replaces legacy antivirus and secures endpoints with a multi-method prevention approach that blocks malware and exploits, both known and unknown, before they compromise endpoints such as laptops, desktops and servers.

We are running Traps on different endpoints (Win/Mac) and found a few glitches in the early stage but they were solved rather quickly and so far it’s been running well, without interfering day-to-day processes or performance. That was until we started to roll-out a new FP to the IBM Notes clients on Windows.

To manage and upgrade our Notes clients we use panagenda’s MarvelClient and have been running it successfully for different upgrades. But at one point we received more and more error logs, from the same users, where the upgrade was failing. After some digging, we found the problem. Traps, which is monitoring activity on your endpoint, found the activity caused by MCUpgrade.exe to be suspicious and therefore blocked access to it.

We notified paloalto about this “issue”, which actually is correct behavior since they didn’t know about MCUpgrade, and have whitelisted MCUpgrade in our configuration, including a very explicit path where the exe has to be located. This solved our problem and the IBM Notes client upgrades with MCUpgrade are working again.

2 thoughts on “paloalto Traps doesn’t know about MC Upgrade (yet)”

  1. Hi Andreas,

    the most recent versions of panagenda MarvelClient Upgrade (MCUpgrade) are signed with an EV certificate. Potentially that would fix the issue, too, without having to specifically whitelist it?

    Best, Florian

    1. Hi Florian
      thanks for your comment. Certainly worth a try, we found that the issue came up when trying the different admin accounts. Not sure if this behaviour would be tolerated even with a signed program? But we can certainly test it if you want.
      Andreas

Leave a Reply

Your email address will not be published. Required fields are marked *

two × five =