How to White List files based on File group

Release Time
11/19/2017
Views
590 times
Category
Security Sub-System
Tags

Experience the benefits of ITSM which encounters Exclusion based on File group by adding multiple file path as a Group. User can add as many rules as possible for excluding the application without running inside the containment,HIPS, Antivirus and Firewall.

I) Containment Exclusion:

Step 1: Get logged in to ITSM :

  • Go to Setting → System Templates → File group variables
  • Enter a New File group name , Example: " System Application " here Note:  Creating a 'File Group' allows you to create ruleset to a  specified files or folders.
  • New group will be added Successfully.

Step 2 : Add multiple file path in the created File group.

STEP 3 : Please select profile associated with device or group which requires exclusion.

  • For Example: "Windows Profile for ITSM 6.5" is associated with device DESKTOP-175E2UI
  • Note: Make sure that a device or group is associated with only one profile; if multiple profiles with containment sections are associated with a device, the rules will be overridden and the exclusion part may not work as you   expected.
  • Go to Profile → Open profile associated with Device → Containment

STEP 4 : Add Exclusion rule to the Containment.

  • Click Add Rule → On Dialogue box Click Edit → Set Type as File Group, Target as Created file group name.
  • Select your File, then Drag&Drop it below the default rules.

 

Note:

  • The custom rule should be placed below the default rules to ensure the protection because the priority of the rules will be given from top to bottom of the list.

 

STEP 5 : Kindly please wait for 5 minutes to reflect the profile changes on an endpoint.

  • As we have added " File group " has multiple path to the profile, if the application executed means it will not run inside on containment. You can observe the results in ITSM interface within few minutes.
  • To observe the changes in ITSM: Go to Security Sub Systems → Application Control, here we can observe the changes that are applied through containment policy.

 II) HIPS Exclusion:

Step 1: Get logged in to ITSM :

    Go to Setting → System Templates → File group variables
    Enter a New File group name , Example: " HIPS Exclusion " here Note: Creating a 'File Group' allows you to create HIPS ruleset to a  specified files or folders.
    New group will be added Successfully.

STEP 2 : Add multiple file path in the created File group.

STEP 3 : Please select profile associated with device or group which requires exclusion.

    For Example: "[cloned]Windows Profile for ITSM 6.10" is associated with device DESKTOP-175E2UI
    Note: Make sure that a device or group is associated with only one profile; if multiple profiles with containment sections are associated with a device, the rules will be overridden and the exclusion part may not work as you   expected.
    Go to Profile → Open profile associated with Device → HIPS

 

STEP 4: Select HIPS --> HIPS Settings --> Select Enable HIPS --> Select "Safe mode".

 

STEP 5 : Add Exclusion rule to the Containment.

Click Add Rule → Select the use group as Created file group → Set the "use ruleset" or "custom ruleset" for the specifying the following access rights.

i) Allowed application ii) Windows system application iii) Isolated application iv) Limited application.

 

ii. You  can even change the action of the diferent access.

 


  

iii. Select your File, then Drag&Drop it to top of the list

 

 

STEP 6: Kindly please wait for 5 minutes to reflect the profile changes on an endpoint.

 

III) Firewall Exclusion:

Step 1: Get logged in to ITSM :

    Go to Setting → System Templates → File group variables
    Enter a New File group name , Example: " Firewall Exclusion " here. Note: Creating a 'File Group' allows you to create firewall ruleset to a  specified files or folders.
    New group will be added Successfully.

 

STEP 2 : Add multiple file path in the created File group.

 

STEP 3 : Please select profile associated with device or group which requires exclusion.

    For Example: "[cloned]Optimum Windows Profile for ITSM 6.10" is associated with device DESKTOP-175E2UI
    Note: Make sure that a device or group is associated with only one profile; if   multiple profiles with containment sections are associated with a device, the rules will be overridden and the exclusion part may not work as you   expected.
    Go to Profile → Open profile associated with Device → Firewall --> Firewall Settings --> Select Enable Firewall. --> Select "Safe mode".

 

STEP 4: i) Select Application Rules --> Browse the created file group --> Select "use ruleset" or "use a custom ruleset" .

 

ii) Select the action (allow, block, ask) --> Enable the option "log as firewall event if this rule is fired".

 

 

STEP 5: Select your File, then Drag&Drop it to top of the list.

 

 

 

STEP 6: Kindly please wait for 5 minutes to reflect the profile changes on an endpoint in the view logs.

 

IV) Antivirus Exclusion:

Step 1: Get logged in to ITSM :

    Go to Setting → System Templates → File group variables
    Enter a New File group name , Example: " Antivirus Exclusion " here. Note: Creating a 'File Group' allows you to create Antivirus ruleset to a  specified files or folders.
    New group will be added Successfully.

 

Step 2 : Add multiple file path in the created File group.

 

STEP 3 : Please select profile associated with device or group which requires exclusion.

    For Example: "Optimum Windows Profile for ITSM 6.10" is associated with device DESKTOP-175E2UI
    Note: Make sure that a device or group is associated with only one profile; if multiple profiles with containment sections are associated with a device, the rules will be overridden and the exclusion part may not work as you   expected.
    Go to Profile → Open profile associated with Device → Antivirus

STEP 4 : Select Realtime Scan --> Enable Realtime Scan

 

 

Step 5 : Select Scans --> Add the Scan profile or Select the default Scan (Full scan,quick scan, unrecognized files scanning).

 

 

Step 6 : Select Exclusion --> Execution path --> Add the Excluded path.

 


 

Step 7 : Select Exclusion --> Excluded Application --> Add the Excluded applications path.

 

 

Step 8 : Select Exclusion --> Excluded group --> Add Excluded group.

 

Step 9: Kindly please wait for 5 minutes to reflect the profile changes on an endpoint in the view logs.