What can I do here?
Use this window to create exceptions to the Threat Prevention policy.
Getting Here - Security Policies> Threat Prevention > Exceptions |
If necessary, you can add an exception directly to a rule. An exception sets a different Action to an object in the Protected Scope from the Action specified Threat Prevention rule. In general, exceptions are designed to give you the option to reduce the level of enforcement of a specific protection and not to increase it. For example: The Research and Development (R&D) network protections are included in a profile with the Prevent action. You can define an exception which sets the specific R&D network to Detect. For some Anti-Bot and IPS signatures only, you can define exceptions which are stricter than the profile action.
You can add one or more exceptions to a rule. The exception is added as a shaded row below the rule in the Rule Base. It is identified in the No. column with the rule's number plus the letter E and a digit that represents the exception number. For example, if you add two exceptions to rule number 1, two lines will be added and show in the Rule Base as E-1.1 and E-1.2.
You can use exception groups to group exceptions that you want to use in more than one rule. See the Exceptions Groups Pane.
You can expand or collapse the rule exceptions by clicking on the minus or plus sign next to the rule number in the No. column.
To add an exception to a rule:
Note - You cannot set an exception rule to an inactive protection or an inactive blade.
Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to detect for one server only?
In this example, create this Threat Prevention rule, and install the Threat Prevention policy:
Name |
Protected Scope |
Protection/Site |
Action |
Track |
Install On |
---|---|---|---|---|---|
Monitor Bot Activity |
|
|
A profile based on the Optimized profile. Edit this profile > go to the General Policy pane> in the Activation Mode section, set every Confidence to Prevent. |
Log |
Policy Targets |
Exclude |
Server_1 |
|
Detect |
Log |
Server_1 |
To add an exception to a rule:
Note - To add EICAR files as exceptions, you must add them as Whitelist Files. When you add EICAR files through Exceptions in Policy rules, the gateway still blocks them, if archive scanning is enabled.
You can also configure an exception for an entire blade.
To configure a blade exception:
In some cases, after evaluating a log or an event in the Logs & Monitor view, it may be necessary to update a rule exception in the SmartConsole Rule Base. You can do this directly from within the Logs & Monitor view. You can apply the exception to a specified rule or apply the exception to all rules that show under Global Exceptions.
To update a rule exception or global exception from a log: