CREATE HOST PROFILE
To create a profile, follow the below steps:
-
Navigate to Manage > Host > Host Protection in the left navigation pane
-
Click ADD PROFILE
-
A pop-up window is displayed
-
A profile must be generated by collecting information about the processes running on the host
-
Provide the below information:
-
Name – Name of the profile
-
Profile Tag – Tag used during VM Probe auto registration
-
Library Monitoring – Select the box to enable Library Monitoring
-
Memory Exploit Protection – Enable it for Memory Exploit Protection. Refer page VSP Memory Exploit Protection of Operations for more information
-
Auto-Allowlist – Auto allowlist files with reputation 'SAFE'
-
Auto Allowlist Unknown Files from Discovery Scan – Auto allowlist the files with reputation 'UNKNOWN' from the discovery scan
-
Auto Allowlist Unknown Files from Discovery Scan and Incidents – Auto allowlist the files with reputation 'UNKNOWN' from the discovery scan and the incidents
-
Allow New Publisher/Package - Auto allowlist any new publisher/package detected due to new software installation OR new instance association with the profile
-
When enabled, the publisher/package is automatically added to the allowlist with the source as "SCAN". When Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, they are listed in the respective lists with the source as "Incident" without any incidents reported in CMS
-
When disabled and the Maintenance Mode is stopped, the newly added Publishers/Packages are listed in the respective lists. If Maintenance Mode is cancelled, only when the Publishers/Packages are accessed, incidents are reported with the Publishers/Packages listed in the respective lists with the source as "Incident"
-
The user can modify the allowlist as required at any point. The modified list is published to the Probe
-
-
Operating System – Select the Operation System – Windows/Linux - from the drop-down list
-
Default Monitoring Mode – Select the required Monitoring Mode – Protect OR Detect. This is applicable for all the hosts except the reference host used to create the allowlist. Ensure that the monitoring mode is explicitly set for the reference host once the host scan is complete and the allowlist is published. For subsequent hosts associated with the profile, the default Mode is applied automatically
-
App Control Policy Name – Select the appropriate App Control policy from the drop-down list. Refer to page Create Policy of Operations for information on App Policy creation. This is an optional field. Select None from the dropdown if no profile needs to be configured
-
Protection Profile Name – Select the appropriate Protection profile from the drop-down list. Based on the selected Host OS, Protection Profiles relevant for that OS are populated. This is an optional field. Select None from the dropdown if no profile needs to be configured
-
Exclusions for Allowlist – It is the list of directories that need to be excluded from process and library monitoring. Processes launched from these directories are not reported as incidents. Add the directories individually and press return key. Normal regex syntax can be utilized. This is a local list applicable only to the profile being created. For more information on global exclusion list, refer page Global Exclusion List of Operations
-
By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning
-
-
Exclusions for Memory Exploit Protection – This is the list of directories that need to be excluded from Memory Exploit Protection. By default, some directories are added to the list. Do not alter them as that can affect normal VSP functioning. Refer page VSP Memory Exploit Protection of Operations for more information
NOTE:
In both Windows and Linux, the mounted folders are auto-excluded during the discovery scan
-
-
Click SAVE
-
The created profile will be listed on the Host Monitoring page