Add a New Exploit Security Profile

Exploit security profiles allow you to configure the action Traps takes when attempts to exploit software vulnerabilities or flaws occur. To protect against specific exploit techniques, you can customize exploit protection capabilities in each Exploit security profile.
By default, the Traps agent will receive the default profile that contains a pre-defined configuration for each exploit capability supported by the platform. To fine-tune your Exploit security policy, you can override the configuration of each capability to block the exploit behavior, allow the behavior but report it, or disable the module.
To define an Exploit security profile:
  1. Add a new profile.
    To create an installation package or manage security profiles after February 26, 2019, you must first change the default uninstall password to a new password which meets Traps management service security standards. You must do this even if you previously set a password. After you set an uninstall password, you will not receive additional notifications. To later change the uninstall password, create an Agent Settings Profile that you can assign to a policy rule.
    1. From Traps management service, select SecurityProfiles.
    2. Select the operating system type to which the profile applies.
    3. CreateExploit Profile.
      profiles-exploit.png
      The Traps management service displays the security capabilities supported for the platform you selected.
  2. Define the basic settings.
    1. Enter a unique Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
  3. Configure the action to take when Traps detects an attempt to exploit each type of software flaw.
    For details on the different exploit protection capabilities, see Protection Capabilities.
    • Block—Block the exploit attack.
    • Report—Allow the exploit activity but report it to Traps management service.
    • Disabled—Disable the module and do not analyze or report exploit attempts.
    • Default—Use the default configuration to determine the action to take. Traps management service displays the current default configuration for each capability in parenthesis. For example, Default (Block).
    To view which processes are protected by each capability, expand Protected Processes. To drill down or locate a specific process, use the search or tab through the results.
    For Logical Exploits Protection, you can also configure a blacklist for the DLL Hijacking module. The blacklist enables you to block specific DLLs when run by a protected process. The DLL folder or file must include the complete path. To complete the path, you can use environment variables or the asterisk (*) as a wildcard to match any string of characters (for example, */windows32/).
    For Exploit Protection for Additional Processes, you also add one or more additional processes.
  4. Save the changes to your profile.
  5. Assign the profile to a policy rule (see Configure a Policy Rule).

Related Documentation