Exclude an Endpoint from an Exploit Protection Rule

When an endpoint attempts to launch an application that violates an exploit protection policy, the Traps agent stops the process from running and reports the malicious process to the Endpoint Security Manager. The
Security Events
Threats
page provides detailed information about processes that trigger security events and the Exploit Protection Modules (EPMs) that prevent the attacks.
To allow the process to run on a specific endpoint without deleting or disabling the policy rule, create an exclusion rule based on the security event details. Defining an exclusion rule disables the EPM that prevented the process from running on a specific endpoint.
To avoid unnecessarily exposing your organization to attacks, create exclusion rules only when necessary.
You can also create exclusion rules from scratch by adding
Objects
to the Exclude section of the rule (see Create an Exploit Protection Rule).
  1. Launch the
    Threats
    page.
    From the ESM Console, select
    Security Events
    Threats
    .
  2. Select the event.
    Select the security event for which you want to create the exclusion rule. The event expands to display further details and actions about the security event.
  3. Click
    Create Rule
    to populate the rule with details about the specific EPM and endpoint. This function is available only for exploit protection rules.
    1. Review the details on the
      Processes
      ,
      Conditions
      ,
      Objects
      , and
      Name
      tabs.
    2. By default the exclusion rule applies only to the endpoint on which the security event occurred. If you want to exclude multiple objects or endpoints from the rule, add them to the Exclude section on the
      Objects
      tab.
    3. Apply
      the rule immediately or
      Save
      the rule to activate it later.
  4. Verify that the exclusion rule allows the process to run on the endpoint.
    1. Open the Traps Console.
    2. Select
      Check In Now
      to obtain the latest security policy.
    3. Select
      Advanced
      Policy
      and verify that the rule appears.
    4. Launch the application on the endpoint to verify that the user can successfully run the process.

Recommended For You