From the documentation Traps or now called Cortex XDR has several modules.
The main prevention against malware is the BTP (Behaviour Treat Protection ).
Palo Alto has increased prevention drastically since version 5 and since version 7.
It works really differently than old fashio AVs based on string and signatures.
They use some CLIP coding. Their content update have two main extensions .lua and .clp
located in C:\ProgramData\Cyvera\LocalSystem\Download\content (icacls set to SYSTEM)
The LUA contains plaintext like configurations mainly for compatibility issues.
Example : If file cpcng.dll exist
Then the APC Guard module will be disabled.
And the CLP (or CLIP language file) are the real propetary anti-malware signatures.
Traps has kernel level hooks on Process, Network and other modules.
…to be continued …3