North America
  • North America
  • Europe
  • United Kingdom
  • Asia & Pacific
  • Australia
  • South America
  • Africa

How to configure a profile so CCS will ignore local trust ratings (verdicts)

Release Time
02/27/2018
Views
1011 times
Category
profiles
Tags


  • A file rating determines how Xcitium Client Security (CCS) interacts with a file.
     
    • 'Trusted' files are safe and are allowed to run normally.
       
    • 'Untrusted' files are malware, so they get quarantined or deleted.
       
    • 'Unknown' files are run in the container until they are classified as trusted or untrusted.
       
  • File ratings can be set by two entities:
     
    • Xcitium- CCS automatically checks the reputation of files on Xcitium's file lookup service (FLS). The FLS contains the very latest trust verdicts from Xcitium’s master blacklists and whitelists.
    • Local - Local trust verdicts are set by users or admins and are stored in CCS on the endpoint. For example, a user can assign a trust level to a file when answering an alert. Alternatively, an admin can assign a local rating in Endpoint Manager (‘Security Sub-systems’ > ‘Application Control’ > ‘Change Rating’).
       
  • Should you wish, you can specify that your endpoints only use ‘Xcitium’ ratings and ignore any local ratings.

Disable the Local Verdict Server in a profile

  • Open Endpoint Manager
  • Click ‘Configuration Templates’ > ‘Profiles’
  • Click the name of the profile you want to edit OR click ‘Create’ to make a new profile
  • Click the ‘File Rating’ tab
    • Click ‘Add Profile Section’ > ‘File Rating’ if you have not yet added the section:

  • Click ‘File Rating’ > ‘Local Verdict Server Settings’ in the file rating section:
     

  • Enable Local Verdict Server:
    • Enabled - CCS will obey the local trust verdict on a file in the event of a conflict with Xcitium’s verdict.
       
    • Disabled - CCS will ignore local verdicts and only use Xcitium verdicts to determine the trust level of a file
  • Clear the ‘Enable Local Verdict Server’ box to disable local verdicts.
     
  • Click ‘Save’

    Xcitium Client Security will now disregard any local file ratings and will only use Xcitium ratings when deciding how to handle a file.
     
  • You can test the interaction between Xcitium and local ratings per file in ‘Security Sub-systems’ > ‘Application Control’:

  • The example above shows an admin applying a malicious rating to a file, even though the Xcitium rating is ‘Trusted’. CCS will ignore the admin rating if you have disabled the local verdict server as explained earlier.