<< PREVIOUS  NEXT >>

 

CREATE/MODIFY AT PROFILE LEVEL

  1. On the Host Monitoring page, expand the profile and click Edit Allowlist

    Picture 1073742194

  2. All processes are listed along with their Threat Intelligence, Path, Allowlisted libraries (if any), Source (Scan or Incident), Library Monitoring (Enabled/Disabled) and Allowlist (or not)

  3. The “Not allowlisted” icon is displayed below

     

    Picture 1073742219

     

  4. The list displays Process Threat Intelligence. A mouse-over will display the details

     

    Picture 1073742221

     

  5. A click on the process provides more information about it

    Picture 1073742222

  6. The below table represents the different status values of process and/or library threat intelligence along with their descriptions

     

    SL NO

    Threat Intelligence Status

    Color

    Description

    1

    Safe

    Green

    If the process or all the libraries are verified and are safe

    2

    Threat

    Yellow

    If the process or at least one library is marked as a potential threat

    3

    Unverified

    Grey

    If the process or at least one library is not verified

    4

    NA (only for Library)

    NA

    When there are no libraries associated with the process

    Table - Threat Intelligence Status

     

  7. Select the Library/Script Auto Allowlisting option. This enables the automatic allowlisting of Safe only libraries OR all libraries OR none of the libraries depending on the selected drop-down

    Picture 1073741991

    1. The Script Auto Allowlisting tab is populated when an ACP is applied to the profile

  8. Select the required processes

    Picture 1073742224

  9. Associated Libraries

     

    1. Click the Allowlisted Libraries entry and select all the required libraries, click Close

      Picture 1073741989

    2. Alternatively, select the appropriate Library Monitoring Option

      Picture 361

  10. The changed process is indicated as depicted below:

    Picture 1073741850

  11. Click the required ALLOWLIST option

    Picture 1073741854

  12. Click YES on the confirmation screen

    Picture 1073742068

      NOTE:

    Once the allowlist is edited, the changes are NOT published to the hosts immediately. Modifications are in draft state and MUST be published as described below

     

  13. Publish/Discard the changes using the appropriate option. During the process of publishing, options of edit, delete, protection mode change or host association/disassociation are disabled

    Picture 306

      NOTE:

    The library monitoring option is enabled for all the processes unless explicitly disabled on CMS

    For the processes that get automatically updated, ensure that library monitoring is switched off to reduce the noise or incidents generated by them. A few examples of such processes are: taskeng.exe, googleupdate.exe, wmiprvse.exe

 

<< PREVIOUS  NEXT >>