Print Download Documentation Send Feedback

Previous

Next

Exceptions

What can I do here?

Use this window to create exceptions to the Threat Prevention policy.

Getting Here

Getting Here - Security Policies> Threat Prevention > Exceptions

Exception Rules

If necessary, you can add an exception directly to a rule. An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule. In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it. For example: The Research and Development (R&D) network protections are included in a profile with the Prevent action. You can define an exception which sets the specific R&D network to Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are stricter than the profile action.

You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the No. column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.

You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.

You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.

To add an exception to a rule:

  1. In the Policy pane, select the rule to which you want to add an exception.
  2. Click Add Exception.
  3. Select the Above, Below, or Bottom option according to where you want to place the exception.
  4. Enter values for the columns. Including these:
    • Protected Scope - Change it to reflect the relevant objects.
    • Protection - Click the plus sign in the cell to open the Protections viewer. Select the protection(s) and click OK.
  5. Install Policy.

Note - You cannot set an exception rule to an inactive protection or an inactive blade.

Disabling a Protection on One Server

Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?

In this example, create this Threat Prevention rule, and install the Threat Prevention policy:

Name

Protected Scope

Protection/Site

Action

Track

Install On

Monitor Bot Activity

* Any

- N/A

A profile based on the Optimized profile.

Edit this profile > go to the General Policy pane> in the Activation Mode section, set every Confidence to Prevent.

Log

Policy Targets

Exclude

Server_1

Backdoor.Win32.Agent.AH

Detect

Log

Server_1

To add an exception to a rule:

  1. In SmartConsole, click Threat Prevention > Policy > Layer.
  2. Click the rule that contains the scope of Server_1.
  3. Click the Add Exception toolbar button to add the exception to the rule. The gateway applies the first exception matched.
  4. Right-click the rule and select New Exception.
  5. Configure these settings:
    • Name - Give the exception a name such as Exclude.
    • Protected Scope - Change it to Server_1 so that it applies to all detections on the server.
    • Protection/Site - Click + in the cell. From the drop-down menu, click the category and select one or more of the items to exclude.

      Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.

    • Action - Keep it as Detect.
    • Track - Keep it as Log.
    • Install On - Keep it as Policy Targets or select specified gateways to install the rule on.
  6. Install Policy.
Blade Exceptions

You can also configure an exception for an entire blade.

To configure a blade exception:

  1. In the Policy, select the Layer rule to which you want to add an exception.
  2. Click Add Exception.
  3. Select the Above, Below, or Bottom option according to where you want to place the exception.
  4. In the Protection/Site column, select Blades from the drop-down menu.
  5. Select the blade you want to exclude.
  6. Install Policy.
Creating Exceptions from Logs or Events

In some cases, after evaluating a log or an event in the Logs & Monitor view, it may be necessary to update a rule exception in the SmartConsole Rule Base. You can do this directly from within the Logs & Monitor view. You can apply the exception to a specified rule or apply the exception to all rules that show under Global Exceptions.

To update a rule exception or global exception from a log:

  1. Click Logs & Monitor > Logs tab.
  2. Right-click the log and select Add Exception.
  3. Configure the settings for the exception.
  4. Click OK.
  5. In the New Exception Rule window:
    • To show the exception in the policy, click Go to
    • Otherwise, click Close
  6. Install Policy.