Create a Policy Exception

In some cases, you may need to override the applied security policy to change whether Traps allows a process or file to run on an endpoint. To override the security policy, you can configure any of the following types of policy exceptions:
  • Create a Process Exception—Allow processes blocked by an exploit security module to run on an endpoint. You can also disable all exploit protection modules for a process.
  • Create a Hash Exception—Explicitly define a verdict for a file (
    Benign
    or
    Malware
    ). Traps management service distributes the verdict to all Traps agents that attempt to run the file. Traps will evaluate the verdict you specify for the file instead of the WildFire verdict.
  • Create a Behavioral Threat Rule Exception—Allow activity which matches Palo Alto Networks behavioral threat rules to run on an endpoint.
  • Manage Support Exceptions—Palo Alto Networks defined exceptions that can be used to temporarily address policy issues for specific customers.

Create a Process Exception

When a specific module in your exploit security profile blocks a process from running and you want to allow a process to run on one or more endpoints, configure a process exception.
You can configure a process exception to disable a specific exploit protection module on a specific process or you can configure a process exception to disable all protection modules for the process. To disable a specific exploit protection module on a specific process, you can also use a security event to populate the process exception with the necessary details such as module, process, and endpoint. See the following topics to create a process exception:
  • Create a process exception from a security event.
    To pre-populate a process exception to exclude a process from protection by a specific exploit protection module using the details from a security event:
    1. From the
      Security Events
      dashboard on Traps management service, select the security event for which you want to base a policy exception.
    2. At the top of the details view, select
      Actions
      Create Exception
      .
      security-event-create-exception.png
    3. Add (
      +
      ) additional
      Hosts
      to which the exception applies, if needed.
      Add the target hosts by: endpoint hostname (
      Agent
      ), endpoint
      Group
      ,
      AD OU
      (organizational unit), or
      AD Group
      . In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
      To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by
      Domain
      .
      To add all endpoints that match the platform type, select
      Agent
      and enter
      any
      in to the search field.
      Use the
      any
      option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
    4. Enter a comment to explain why you are granting an exception to the security policy.
    5. Save ( save-rule-icon.png ) the policy exception.
      After Traps management service distributes the updated security policy to the agent at the next heartbeat communication, the next time the activity is repeated, Traps will permit the process to run.
    6. Return to
      Process Exceptions
      at any time to make changes to the exception or disable or delete a process exception if it is no longer required.
  • Create a process exception from scratch.
    To create a process exception to exclude a process from protection by a specific exploit protection module without using a security event to populate the exception details:
    1. Select
      Security
      Exceptions
      Process Exceptions
      .
    2. Select
      Actions
      Create Process Exception
      .
    3. Enter the
      Process Name
      for which you want to disable protection.
    4. Select the
      Platform
      to which the exception applies.
    5. Select the exploit protection
      Module
      that you want to disable on the process.
    6. Disable
      the module.
      Traps management service adds the exception to the Process Exceptions page.
    7. Apply the exception to one or more
      Hosts
      .
      Until you apply the exception to one or more hosts, the exception is active but does not apply to any endpoint.
      1. Edit ( edit-icon.png ) the exception.
      2. Add (
        +
        ) one or more target hosts to which the exception applies: endpoint hostname (
        Agent
        ), endpoint
        Group
        ,
        AD OU
        (organizational unit), or
        AD Group
        . In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
        To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by
        Domain
        .
        To add all endpoints that match the platform type, select
        Agent
        and enter
        any
        in to the search field.
        Use the
        any
        option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
    8. Save ( save-rule-icon.png ) the exception.
      Traps management service sends the latest policy with the hash exception to the specified endpoints at the next heartbeat communication with the Traps agent.
    9. Return to
      Process Exceptions
      at any time to make changes to the exception or disable or delete a process exception if it is no longer required.
  • Disable all exploit protection modules for a process.
    1. Select
      Security
      Exceptions
      Process Exceptions
      .
    2. Select
      Actions
      Disable Process Protection
      .
    3. Enter the
      Process Name
      for which you want to disable protection.
    4. Select the
      Platform
      to which the exception applies.
    5. Disable
      protection modules for the process.
      Traps management service adds the exception to the
      Process Exceptions
      page and identifies the
      Module
      as
      Disable Process Protection
      .
    6. Apply the exception to one or more
      Hosts
      .
      Until you apply the exception to one or more hosts, the exception is active but does not apply to any endpoint.
      1. Edit ( edit-icon.png ) the exception.
      2. Open (
        +
        ) the endpoint search dialog.
      3. Add endpoints by the endpoint hostname.
        To narrow the list of endpoints, begin typing the name in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter the list of endpoints by
        Domain
        . To add all endpoints, type
        any
        in to the search field.
        Use the
        any
        option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
    7. Save ( save-rule-icon.png ) the exception.
      Traps management service sends the latest policy with the hash exception to the specified endpoints at the next heartbeat communication with the Traps agent.
    8. Return to
      Process Exceptions
      at any time to make changes to the exception or Disable or delete a process exception if it is no longer required.
  • Disable or delete a process exception.
    If a process exception is no longer required, you can temporarily disable or permanently delete it.
    1. Return to
      Security
      Exceptions
      Process Exceptions
      .
      For each process, Traps management service displays the Profile Type, process name, and endpoints to which to which the exception applies. The page also displays the time the exception was last modified and any comments entered to describe the exception.
    2. Select the check box next to the policy exception.
    3. At the top of the Process Exception table, select the appropriate action to disable ( disable-icon.png ) or delete ( delete-icon.png ) the process exception.
      You can also perform these actions from the edit view of a process exception or you can
      Disable
      or
      Delete
      the process exception by selecting the action from the menu that appears to the right of the comments column when you hover over the process exception.
      If you disable the exception, you can re-enable it if needed. If you delete the exception, Traps management service permanently deletes the exception and removes it from view.

Create a Hash Exception

From
Security
Exceptions
Hash Exceptions
, you can view all hash exceptions or search for specific hash values that override the WildFire verdict. For each file,
Hash Exceptions
displays the SHA256 hash, the exception verdict (set by an administrator), the WildFire verdict (for comparison), the time the exception was last modified, and any comments entered to describe the exception.
To add a new hash exception:
  • Create a hash exception for a file using the file name.
    1. Select
      Security
      Files
      .
    2. Use the filters to find the file.
    3. Select the
      File Name
      to open the details view for the file.
    4. Create Exception
      .
    5. Select the
      Verdict
      for the file—
      Benign
      or
      Malware
      .
    6. Save ( save-rule-icon.png ) the exception.
    7. If at any point you no longer need an exception, you can delete it from
      Security
      Exceptions
      Hash Exceptions
      .
  • Create a hash exception using the SHA256 hash value.
    1. Identify the hash of the file for which you want to create an exception.
      You can create a hash exception from either
      Security
      Exceptions
      or
      Security
      Files
      .
      From
      Exceptions
      .
      1. Select
        Security
        Exceptions
        Hash Exceptions
        .
      2. Click
        Actions
        Create
        .
        As an alternative to defining individual hashes, you can also use the
        Import CSV
        action to import hashes and verdicts as a comma-separated values (CSV) file. Traps management service accepts a CSV file with the following fields:
        Verdict
        ,
        Hash
        ,
        Name
        , and
        FileType
        , where:
        • Verdict
          0
          for benign or
          1
          for malware
        • Hash
          —SHA256 hash value
        • Name
          —Name of the file
        • FileType
          —One of the following:
          • 0
            —Unknown
          • 1
            —PE
          • 2
            —Mach-O
          • 3
            —DLL
          • 4
            —Office File
          • 5
            —ELF
        For example:
        import-verdict-csv-ex.png
      3. Enter the SHA256 hash and corresponding verdict—
        Benign
        or
        Malware
        .
      4. Enter (
        +
        ) up to four additional files (five total) and then
        Add
        them when finished.
        tms-exception-hash-add.png
      From the
      Files
      page.
      1. Enter the SHA256 hash and corresponding verdict—
        Benign
        or
        Malware
        .
      2. Save ( save-rule-icon.png ) the hash exception.
      Traps management service delivers the updated security policy at the next heartbeat communication with the agent. When the file next tries to run, Traps treats it according to the hash exception policy.
  • Disable or delete a hash exception:
    1. Select the type of policy exception,
      Hash Exceptions
      .
    2. (
      Optional
      ) Use the SHA256 search to filter the hash exceptions by a complete hash value.
    3. Select the check box next to the hash exception and then click the edit icon.
    4. Temporarily
      Disable
      the policy exception or
      Delete
      the exception completely.
      If you select
      Disable
      , you can return to the
      Exceptions
      page at a later time to
      Enable
      the exception. If you disable the exception, you can re-enable it if needed. If you delete the exception, Traps management service permanently deletes the exception and removes it from view.

Create a Behavioral Threat Rule Exception

If a behavioral threat rule blocks a causality chain (a sequence of events) that you think is legitimate, you can create a behavioral threat rule exception. This disables the rule for all causality chains that match the rule.
To create an exception from a behavioral threat rule:
  1. From the
    Security
    Security Events
    dashboard on Traps management service, select the behavioral threat event for which you want to base a policy exception.
  2. At the top of the details view, select
    Actions
    Create Exception
    .
  3. Add (
    +
    ) additional
    Hosts
    to which the exception applies, if needed.
    Add the target hosts by: endpoint hostname (
    Agent
    ), endpoint
    Group
    ,
    AD OU
    (organizational unit), or
    AD Group
    . In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
    To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by
    Domain
    .
    To add all endpoints that match the platform type, select
    Agent
    and enter
    any
    in to the search field.
  4. Enter a comment to explain why you are granting an exception to the security policy.
  5. Save ( save-rule-icon.png ) the policy exception.
    After Traps management service distributes the updated security policy to the agent at the next heartbeat communication, the next time the activity is repeated, Traps will permit the causality chain to run.
  6. Go to
    Security
    Exceptions
    Advanced Exceptions
    at any time to make changes to the exception or disable or delete a exception if it is no longer required.

Manage Support Exceptions

Support exceptions are not configurable but are available as a tool for Palo Alto Networks to use to issue temporary amendments or changes to your specific security policy. Palo Alto Networks can issue support exceptions that change the default configuration of an internal module and other settings related to your security policy. To deliver a support exception, Support can provide a JSON file containing the configuration changes or amendments to your default policy. After receiving the support exception file, you can manually import it to Traps management service.
The
Support Exceptions
page displays all support exceptions issued to your Traps management service tenant. This page is typically blank unless you are actively working with Support to address a policy-related issue. When present, Traps management service displays the
Name
of the support exception, the
Profile Type
changed by the support exception, any
Endpoints
to which the support exception applies, the creation time, and any administrative comments logged for the exception.
After Palo Alto Networks issues your tenant a support exception, you can assign it to one or more hosts.
tms-exceptions-support.png
  1. Delete or disable any exceptions you defined which will conflict with the support exception.
    Administrator-defined exceptions take precedence over support exceptions.
  2. Select
    Security
    Exceptions
    Support Exceptions
    .
  3. Import the support exception that you received from Support.
    1. Select
      Actions
      Import Support Exception
      .
    2. Select the JSON file you want to import and then
      Upload
      it.
  4. Select the
    Name
    of the support exception.
  5. To enable the support exception, add (
    +
    ) the
    Hosts
    to which the exception applies.
    You can apply the exception by endpoint hostname (
    Agent
    ), endpoint
    Group
    ,
    AD OU
    (organizational unit), or
    AD Group
    . In the case of mixed groups or OUs containing endpoints and users, the exception will apply only to endpoints that match the platform type specified in the exception.
    To narrow the results, begin typing in the search field. Traps management service provides autocompletion as you type. In a multi-domain environment, you can also filter agents, AD groups, and AD OUs by
    Domain
    .
    To add all endpoints that match the platform type, select
    Agent
    and enter
    any
    in to the search field.
    Use the
    any
    option with caution and instead consider assigning a different security profile to your policy rule if the applied security policy does not meet your needs.
  6. Enter an administrative comment that explains the purpose of the support exception or provides any additional details.
  7. Save ( save-rule-icon.png ) the policy exception.
    tms-exception-support-details.png
    Traps management service issues the policy exception to the host at the next heartbeat communication.
  8. After you are done with the support exception, you can temporarily disable it or permanently delete it.
    Select the support exception and perform the desired action.
    tms-exception-support-disable.png

Recommended For You