Create a Policy Exception

In some cases, you may need to override the applied security policy to change whether Traps allows a process or file to run on an endpoint. To override the security policy, you can configure any of the following types of policy exceptions:
  • Create a Process Exception—Allow processes blocked by an exploit security module to run on an endpoint. You can also disable all exploit protection modules for a process.
  • Create a Hash Exception—Explicitly define a verdict for a file (Benign or Malware). Traps management service distributes the verdict to all Traps agents that attempt to run the file. Traps will evaluate the verdict you specify for the file instead of the WildFire verdict.
  • Create a Behavioral Threat Rule Exception—Allow activity which matches Palo Alto Networks behavioral threat rules to run on an endpoint.
  • Manage Support Exceptions—Palo Alto Networks defined exceptions that can be used to temporarily address policy issues for specific customers.

Create a Process Exception

When a specific module in your exploit security profile blocks a process from running and you want to allow a process to run on one or more endpoints, configure a process exception.
You can configure a process exception to disable a specific exploit protection module on a specific process or you can configure a process exception to disable all protection modules for the process. To disable a specific exploit protection module on a specific process, you can also use a security event to populate the process exception with the necessary details such as module, process, and endpoint. See the following topics to create a process exception:
  • Create a process exception from a security event.
    To pre-populate a process exception to exclude a process from protection by a specific exploit protection module using the details from a security event:
    1. From the Security Events dashboard on Traps management service, select the security event for which you want to base a policy exception.
    2. At the top of the details view, select ActionsCreate Exception.
      security-event-create-exception.png
    3. Add (+) additional Hosts to which the exception applies, if needed.
      Add the target hosts by: endpoint hostname (Agent), endpoint Group, AD OU (organizational unit), or AD Group. In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
      To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by Domain.
      To add all endpoints that match the platform type, select Agent and enter any in to the search field.
      Use the any option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
    4. Enter a comment to explain why you are granting an exception to the security policy.
    5. Save ( save-rule-icon.png ) the policy exception.
      After Traps management service distributes the updated security policy to the agent at the next heartbeat communication, the next time the activity is repeated, Traps will permit the process to run.
    6. Return to ExceptionsProcess Exceptions at any time to make changes to the exception or disable or delete a process exception if it is no longer required.
  • Create a process exception from scratch.
    To create a process exception to exclude a process from protection by a specific exploit protection module without using a security event to populate the exception details:
    1. Select ExceptionsProcess Exceptions.
    2. Select ActionsCreate Process Exception.
    3. Enter the Process Name for which you want to disable protection.
    4. Select the Platform to which the exception applies.
    5. Select the exploit protection Module that you want to disable on the process.
    6. Disable the module.
      Traps management service adds the exception to the Process Exceptions page.
    7. Apply the exception to one or more Hosts.
      Until you apply the exception to one or more hosts, the exception is active but does not apply to any endpoint.
      1. Edit ( edit-icon.png ) the exception.
      2. Add (+) one or more target hosts to which the exception applies: endpoint hostname (Agent), endpoint Group, AD OU (organizational unit), or AD Group. In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
        To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by Domain.
        To add all endpoints that match the platform type, select Agent and enter any in to the search field.
        Use the any option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
    8. Save ( save-rule-icon.png ) the exception.
      Traps management service sends the latest policy with the hash exception to the specified endpoints at the next heartbeat communication with the Traps agent.
    9. Return to ExceptionsProcess Exceptions at any time to make changes to the exception or disable or delete a process exception if it is no longer required.
  • Disable all exploit protection modules for a process.
    1. Select ExceptionsProcess Exceptions.
    2. Select ActionsDisable Process Protection.
    3. Enter the Process Name for which you want to disable protection.
    4. Select the Platform to which the exception applies.
    5. Disable protection modules for the process.
      Traps management service adds the exception to the Process Exceptions page and identifies the Module as Disable Process Protection.
    6. Apply the exception to one or more Hosts.
      Until you apply the exception to one or more hosts, the exception is active but does not apply to any endpoint.
      1. Edit ( edit-icon.png ) the exception.
      2. Open (+) the endpoint search dialog.
      3. Add endpoints by the endpoint hostname.
        To narrow the list of endpoints, begin typing the name in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter the list of endpoints by Domain. To add all endpoints, type any in to the search field.
        Use the any option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
    7. Save ( save-rule-icon.png ) the exception.
      Traps management service sends the latest policy with the hash exception to the specified endpoints at the next heartbeat communication with the Traps agent.
    8. Return to ExceptionsProcess Exceptions at any time to make changes to the exception or Disable or delete a process exception if it is no longer required.
  • Disable or delete a process exception.
    If a process exception is no longer required, you can temporarily disable or permanently delete it.
    1. Return to ExceptionsProcess Exceptions.
      For each process, Process Exceptions displays the Profile Type, process name, and endpoints to which to which the exception applies. The page also displays the time the exception was last modified and any comments entered to describe the exception.
    2. Select the check box next to the policy exception.
    3. At the top of the Process Exception table, select the appropriate action to disable ( disable-icon.png ) or delete ( delete-icon.png ) the process exception.
      You can also perform these actions from the edit view of a process exception or you can Disable or Delete the process exception by selecting the action from the menu that appears to the right of the comments column when you hover over the process exception.
      If you disable the exception, you can re-enable it if needed. If you delete the exception, Traps management service permanently deletes the exception and removes it from view.

Create a Hash Exception

From Hash Exceptions, you can view all hash exceptions or search for specific hash values that override the WildFire verdict. For each file, Hash Exceptions displays the SHA256 hash, the exception verdict (set by an administrator), the WildFire verdict (for comparison), the time the exception was last modified, and any comments entered to describe the exception.
To add a new hash exception:
  • Create a hash exception for a file using the file name.
    1. Select Files.
    2. Use the filters to find the file.
    3. Select the File Name to open the details view for the file.
    4. Create Exception.
    5. Select the Verdict for the file—Benign or Malware.
    6. Save ( save-rule-icon.png ) the exception.
    7. If at any point you no longer need an exception, you can delete it from ExceptionsHash Exceptions.
  • Create a hash exception using the SHA256 hash value.
    1. Identify the hash of the file for which you want to create an exception.
      You can create a hash exception from either Exceptions or Files.
      From Exceptions.
      1. Select ExceptionsHash Exceptions.
      2. Click ActionsCreate.
        As an alternative to defining individual hashes, you can also use the Import CSV action to import hashes and verdicts as a comma-separated values (CSV) file. Traps management service accepts a CSV file with the following fields: Verdict, Hash, Name, and FileType, where:
        • Verdict0 for benign or 1 for malware
        • Hash—SHA256 hash value
        • Name—Name of the file
        • FileType—One of the following:
          • 0—Unknown
          • 1—PE
          • 2—Mach-O
          • 3—DLL
          • 4—Office File
          • 5—ELF
        For example:
        import-verdict-csv-ex.png
      3. Enter the SHA256 hash and corresponding verdict—Benign or Malware.
      4. Enter (+) up to four additional files (five total) and then Add them when finished.
        tms-exception-hash-add.png
      From the Files page.
      1. Enter the SHA256 hash and corresponding verdict—Benign or Malware.
      2. Save ( save-rule-icon.png ) the hash exception.
      Traps management service delivers the updated security policy at the next heartbeat communication with the agent. When the file next tries to run, Traps treats it according to the hash exception policy.
  • Disable or delete a hash exception:
    1. Select the type of policy exception, Hash Exceptions.
    2. (Optional) Use the SHA256 search to filter the hash exceptions by a complete hash value.
    3. Select the check box next to the hash exception and then click the edit icon.
    4. Temporarily Disable the policy exception or Delete the exception completely.
      If you select Disable, you can return to the Exceptions page at a later time to Enable the exception. If you disable the exception, you can re-enable it if needed. If you delete the exception, Traps management service permanently deletes the exception and removes it from view.

Create a Behavioral Threat Rule Exception

If a behavioral threat rule blocks a causality chain (a sequence of events) that you think is legitimate, you can create a behavioral threat rule exception. This disables the rule for all causality chains that match the rule.
To create an exception from a behavioral threat rule:
  1. From the Security Events dashboard on Traps management service, select the behavioral threat event for which you want to base a policy exception.
  2. At the top of the details view, select ActionsCreate Exception.
  3. Add (+) additional Hosts to which the exception applies, if needed.
    Add the target hosts by: endpoint hostname (Agent), endpoint Group, AD OU (organizational unit), or AD Group. In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
    To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by Domain.
    To add all endpoints that match the platform type, select Agent and enter any in to the search field.
  4. Enter a comment to explain why you are granting an exception to the security policy.
  5. Save ( save-rule-icon.png ) the policy exception.
    After Traps management service distributes the updated security policy to the agent at the next heartbeat communication, the next time the activity is repeated, Traps will permit the causality chain to run.
  6. Return to ExceptionsAdvanced Exceptions at any time to make changes to the exception or disable or delete a exception if it is no longer required.

Manage Support Exceptions

Support exceptions are not configurable but are available as a tool for Palo Alto Networks to use to issue temporary amendments or changes to your specific security policy. Palo Alto Networks can issue support exceptions that change the default configuration of an internal module and other settings related to your security policy. To deliver a support exception, Support can provide a JSON file containing the configuration changes or amendments to your default policy. After receiving the support exception file, you can manually import it to Traps management service.
The Support Exceptions page displays all support exceptions issued to your Traps management service tenant. This page is typically blank unless you are actively working with Support to address a policy-related issue. When present, Traps management service displays the Name of the support exception, the Profile Type changed by the support exception, any Endpoints to which the support exception applies, the creation time, and any administrative comments logged for the exception.
After Palo Alto Networks issues your tenant a support exception, you can assign it to one or more hosts.
tms-exceptions-support.png
  1. Delete or disable any exceptions you defined which will conflict with the support exception.
    Administrator-defined exceptions take precedence over support exceptions.
  2. Select ExceptionsSupport Exceptions.
  3. Import the support exception that you received from Support.
    1. Select ActionsImport Support Exception.
    2. Select the JSON file you want to import and then Upload it.
  4. Select the Name of the support exception.
  5. To enable the support exception, add (+) the Hosts to which the exception applies.
    You can apply the exception by endpoint hostname (Agent), endpoint Group, AD OU (organizational unit), or AD Group. In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
    To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by Domain.
    To add all endpoints that match the platform type, select Agent and enter any in to the search field.
    Use the any option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
  6. Enter an administrative comment that explains the purpose of the support exception or provides any additional details.
  7. Save ( save-rule-icon.png ) the policy exception.
    tms-exception-support-details.png
    Traps management service issues the policy exception to the host at the next heartbeat communication.
  8. After you are done with the support exception, you can temporarily disable it or permanently delete it.
    Select the support exception and perform the desired action.
    tms-exception-support-disable.png

Related Documentation