Exclude an Endpoint from an Exploit Protection Rule
When an endpoint attempts to launch an application
that violates an exploit protection policy, the Traps agent stops
the process from running and reports the malicious process to the
Endpoint Security Manager. The
provides detailed information about processes that trigger security
events and the Exploit Protection Modules (EPMs) that prevent the
To allow the process to run on a specific endpoint
without deleting or disabling the policy rule, create an exclusion
rule based on the security event details. Defining an exclusion
rule disables the EPM that prevented the process from running on
a specific endpoint.
avoid unnecessarily exposing your organization to attacks, create
exclusion rules only when necessary.
You can also create
exclusion rules from scratch by adding
Select the security event for which you want to create
the exclusion rule. The event expands to display further details
and actions about the security event.
the rule with details about the specific EPM and endpoint. This
function is available only for exploit protection rules.
Review the details on the
By default the exclusion rule applies only to the
endpoint on which the security event occurred. If you want to exclude
multiple objects or endpoints from the rule, add them to the Exclude section
the rule immediately
the rule to activate it later.
Verify that the exclusion rule allows the process to
run on the endpoint.
Open the Traps Console.
Check In Now
the latest security policy.
and verify that the
Launch the application on the endpoint to verify that
the user can successfully run the process.