Allowlist Management
  • 19 Mar 2024
  • 8 Minutes to read
  • Dark
    Light
  • PDF

Allowlist Management

  • Dark
    Light
  • PDF

Article Summary

About this Article
This article provides information related to Allowlists modifications, Publishers and Packages.


Allowlist

Allowlist defines all the executables that are allowed to execute. The list of executables are populated after the reference host scan. Some of them are auto-allowlisted as per the configuration on Host profile/template. This can be modified or optimized as described in the below sections.

The below table represents the different status values of executable threat intelligence along with their descriptions:

Threat Intelligence StatusColorDescription
SafeGreenIf the executables are verified by the configured Threat Intelligence Service and are safe
ThreatYellowIf the executable is marked as a potential threat
UnverifiedGreyIf Threat Intelligence Service is not configured
UnknownNAIf the reputation of the executable is not available with the configured Threat Intelligence Service


Modify at the Profile-level

  1. On the Host Monitoring page, expand the profile and click Edit AllowlistAllowListProfileLevel
  2. All executables are listed along with their Threat Intelligence, Path, Allowlisted libraries (if any), Source (Scan or Incident), Library Monitoring (Enabled/Disabled) and Allowlist (or not)
  3. The “Not allowlisted” status is depicted belowAllowListProfileLevel9
  4. The list displays Threat Intelligence. A mouse-over will display the details
  5. Select the Library/Script Auto Allowlisting option. This enables the automatic allowlisting of Safe only libraries OR all libraries OR none of the libraries depending on the selected drop-down. The Script Auto Allowlisting tab is populated when an ACP is applied to the profileAllowListProfileLevel2
  6. Select the required processesAllowListProfileLevel3
  7. Associated Binaries
    1. Click the Allowlisted Binaries entry and select all the required libraries, click CloseAllowListProfileLevel4
    2. Alternatively, select the appropriate Library Monitoring OptionAllowListProfileLevel5
  8. The changed process is indicated as depicted below:AllowListProfileLevel6
  9. Click the required Allowlist option. Click YES on the confirmation screenAllowListProfileLevel7
  10. Publish/Discard the changes using the appropriate option. During the process of publishing, options of edit, delete, protection mode change or host association/disassociation are disabledAllowListProfileLevel8
Note

The library monitoring option is enabled for all the processes unless explicitly disabled on CMS


Modify across Profiles

  1. Execute a search on the Profile List. Select all the required processes to be allowlisted from the search results
  2. Select the appropriate option under LIBRARY MONITORING. This option applies to the search results ONLY
  3. Select the Library/Script Auto Allowlisting option at the top of the pageAllowListProfileLevel2
  4. Click the required Allowlist option. Click YES on the confirmation screen. This option applies to the search results ONLYAllowListProfileLevel7
  5. Alternatively, click the Allowlisted Libraries entry associated with a particular process
    1. Select the required libraries to be allowlisted. Select the appropriate option under ALLOWLIST and click YES on the confirmation screenAllowList1
  6. Publish/Discard the changes using the appropriate option at the profile levelAllowList2
  7. Alternatively, use the below dropdown for bulk publish/discard across profilesAllowList3


Optimize Allowlist

The Optimize Allowlist option clears/optimizes the allowlist when exclusions are added. Although this clean-up is automated, it can be manually initiated using this option. It ensures that all the matching executables with the global exclusion list are purged from the individual Host Profiles. The corresponding incidents are marked as Acknowledged.

  1. To optimize the existing allowlist, click ALL PROFILES > Exclusions List > Optimize Allowlist
  2. Click YES on the confirmation screen


Publishers (Windows)

VSP provides an option to add a list of Publishers of files (files signed by known publisher) to the allowlist for Windows Probes. When processes with the allowlisted Publishers are launched, they are allowed to execute. Incidents are not reported in CMS for such processes. The list is added with new Publishers using the below sources:

  1. Publishers of files scanned on the hosts when a profile is created
  2. Publishers obtained from VSP detected incidents
  3. Publishers manually added from the CMS
NOTE

[Version 3.0.0 and Above]
Whenever a publisher is allowlisted:

  1. Incidents related to it is auto-acknowledged
  2. Associated executables are no longer listed in the allowlist
  3. A process belonging to allowed publisher may remain in allowlist if there are any libraries or scripts associated with that it that are not eligible for removal. These libraries/scripts may be associated with a publisher that is not allowlisted or may not be associated with any publisher

By default, host protection allows binaries with expired Publisher Certificates. To block binaries with expired Publisher Certificate, execute the command:

vsp-cli config hmm edit winCheckExpiration True --persist


The Publishers list can be defined at the global level or profile level.


 

Version 2.11 and Above:

Global Publishers List

Global Publishers List is applicable to all profiles.

  1. To view the Global List, follow the below steps:
    1. On the Host Monitoring page, navigate to ALL PROFILES > Manage Publishers to view the list of Publishers
    2. Select all the required Publishers and the required option from ACTIONS to allow/not allow Publishers. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Publishers manually to the global list, follow the below steps:
    1. Click ADD PUBLISHER. Provide the Publisher Name and select Allow/Not Allow option. Click SAVE
    2. Ensure that the exact Publisher name is specified. The name is case-sensitive 
    3. Any Publisher added globally is not listed in associated profiles to avoid redundancy. But these global specifications are applied to all the profiles


Profile-level Publishers List

Profile-level Publishers List is applicable to a particular profile. 

  1. To view the Publishers list of a profile, click Edit Publishers RulesPublisherList1
    1. Select all the required Publishers and the required option from ACTIONS to allow/not allow Publishers. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Publishers manually to the profile list, follow the below steps:
    1. Click ADD PUBLISHER. Provide the Publisher Name and select Allow/Not Allow option. Click SAVE
    2. Ensure that the exact Publisher name is specified. The name is case-sensitive. Addition is at the Profile level only

Version 2.10 and Below:

Global Publishers List

Global Publishers List is applicable to all profiles.

  1. To view the Global List, follow the below steps:
    1. On the Host Monitoring page, navigate to ALL PROFILES > Manage Publishers to view the list of Publishers
    2. Select all the required Publishers and the required option from ACTIONS to allow/deny Publishers. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Publishers manually to the global list, follow the below steps:
    1. Click ADD PUBLISHER. Provide the Publisher Name and select Allow/Deny option. Click SAVE
    2. Ensure that the exact Publisher name is specified. The name is case-sensitive 
    3. Any Publisher added globally is automatically listed in associated profiles
    4. The manually added Publishers can be deleted


Profile-level Publishers List

Profile-level Publishers List is applicable to a particular profile. 

  1. To view the Publishers list of a profile, click Edit Publishers RulesPublisherList1
    1. Select all the required Publishers and the required option from ACTIONS to allow/deny Publishers. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Publishers manually to the profile list, follow the below steps:
    1. Click ADD PUBLISHER. Provide the Publisher Name and select Allow/Deny option. Click SAVE
    2. Ensure that the exact Publisher name is specified. The name is case-sensitive. Addition is at the Profile level only
    3. The manually added Publishers can be deleted. Deletion is also at the Profile level only


Packages (Linux)

VSP provides an option to add a list of file Packages (rpm and dev packages) to the allowlist for Linux Probes. When processes with the allowlisted Packages are launched, they are allowed to execute. Incidents are not reported in CMS for such processes. The list is added with new Packages using the below sources:

  1. File Packages scanned on the hosts when a profile is created
  2. File Packages obtained from VSP detected incidents
  3. File Packages manually added from CMS
NOTE

[Version 3.0.0 and Above]
Whenever a package is allowlisted:

  1. Incidents related to it is auto-acknowledged
  2. Associated executables are no longer listed in the allowlist
  3. A process belonging to allowed package may remain in allowlist if there are any libraries or scripts associated with that it that are not eligible for removal. These libraries/scripts may be associated with a package that is not allowlisted or may not be associated with any package

The Packages list is considered only if the option Scan Complete File System is selected during profile creation. The Packages list can be defined at the global level or profile level.


 

Version 2.11 and Above:

Global Package List

Global Packages List is applicable to all profiles.

  1. To view the Global List, follow the below steps:
    1. On the Host Monitoring page, navigate to ALL PROFILES > Manage Packages to view the list of Packages
    2. Select all the required Packages and the required option from ACTIONS to allow/not allow Packages. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Packages manually to the global list, follow the below steps:
    1. Click ADD PACKAGE. Provide the Package Name and select Allow/Not Allow option. Click SAVE
    2. Ensure that the exact Package name is specified. The name is case-sensitive 
    3. Any Package added globally is not listed in associated profiles to avoid redundancy. But these global specifications are applied to all the profiles


Profile-level Package List

Profile-level Package List is applicable to a particular profile. 

  1. To view the Packages list of a profile, click Edit Packages RulesPackageList1
    1. Select all the required Packages and the required option from ACTIONS to allow/not allow Packages. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Packages manually to the profile list, follow the below steps:
    1. Click ADD PACKAGE. Provide the Package Name and select Allow/Not Allow option. Click SAVE
    2. Ensure that the exact Package name is specified. The name is case-sensitive. Addition is at the Profile level only

Version 2.10 and Below:

Global Package List

Global Packages List is applicable to all profiles.

  1. To view the Global List, follow the below steps:
    1. On the Host Monitoring page, navigate to ALL PROFILES > Manage Packages to view the list of Packages
    2. Select all the required Packages and the required option from ACTIONS to allow/deny Packages. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Packages manually to the global list, follow the below steps:
    1. Click ADD PACKAGE. Provide the Package Name and select Allow/Deny option. Click SAVE
    2. Ensure that the exact Package name is specified. The name is case-sensitive 
    3. Any Package added globally is automatically listed in associated profiles
    4. The manually added Packages can be deleted


Profile-level Package List

Profile-level Package List is applicable to a particular profile. 

  1. To view the Packages list of a profile, click Edit Packages RulesPackageList1
    1. Select all the required Packages and the required option from ACTIONS to allow/deny Packages. Any action taken on the global list will impact all the associated profiles. Click YES on the confirmation screen
  2. To add Packages manually to the profile list, follow the below steps:
    1. Click ADD PACKAGE. Provide the Package Name and select Allow/Deny option. Click SAVE
    2. Ensure that the exact Package name is specified. The name is case-sensitive. Addition is at the Profile level only
    3. The manually added Packages can be deleted. Deletion is also at the Profile level only

Was this article helpful?