Exclude an Endpoint from an Exploit Protection Rule
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Exclude an Endpoint from an Exploit Protection Rule
When an endpoint attempts to launch an application
that violates an exploit protection policy, the Traps agent stops
the process from running and reports the malicious process to the
Endpoint Security Manager. The Security
EventsThreats page
provides detailed information about processes that trigger security
events and the Exploit Protection Modules (EPMs) that prevent the
attacks.
To allow the process to run on a specific endpoint
without deleting or disabling the policy rule, create an exclusion
rule based on the security event details. Defining an exclusion
rule disables the EPM that prevented the process from running on
a specific endpoint.
To
avoid unnecessarily exposing your organization to attacks, create
exclusion rules only when necessary.
You can also create
exclusion rules from scratch by adding Objects to
the Exclude section of the rule (see Create
an Exploit Protection Rule).
- Launch the Threats page.From the ESM Console, select Security EventsThreats.
- Select the event.Select the security event for which you want to create the exclusion rule. The event expands to display further details and actions about the security event.
- Click Create Rule to populate
the rule with details about the specific EPM and endpoint. This
function is available only for exploit protection rules.
- Review the details on the Processes, Conditions, Objects, and Name tabs.
- By default the exclusion rule applies only to the endpoint on which the security event occurred. If you want to exclude multiple objects or endpoints from the rule, add them to the Exclude section on the Objects tab.
- Apply the rule immediately or Save the rule to activate it later.
- Verify that the exclusion rule allows the process to
run on the endpoint.
- Open the Traps Console.
- Select Check In Now to obtain the latest security policy.
- Select AdvancedPolicy and verify that the rule appears.
- Launch the application on the endpoint to verify that the user can successfully run the process.