Add Whitelist (Application Control) rules

Whitelist rules define the list of applications and the processes allowed to run/spawn on a host. Whitelisted applications and processes are the desired and good-known applications and processes required for the normal functioning of the host and its user. You can set the rules to run in Monitor mode (non-whitelisted applications and processes are allowed to run, but violations are reported) or the Enforce mode (non-whitelisted applications and processes are blocked/killed/not allowed to spawn).

Scope and controls

See the following table for the scope at which the Whitelist rules can be defined and the controls for the rules.  

Scope
Controls

  • Directory - all the applications and processes in the directory

  • Path - the absolute path of the application or process

  • File Name - a specific application or process

  • MD5s - specific MD5s of the application or the applications in the directory 

  • Command lines - specific command lines from the application or the applications in the directory 

  • Allow all Child Processes - allow child processes to run/spawn from the scope of the rule.

  • Status - make the rule Active or Pause the rule and run the rule in the Monitor mode or Enforce mode (with alerts).

  • Policy settings - in the Policy settings of a policy, make the Whitelist setting Active and set to Monitor or Enforce mode. Pause the rules when you don't want to use them.

Whitelist alerts

Alerts for Whitelist rule violations are reported in the Whitelist Alert category on the Alerts pages. Rule violations are detected when processes run outside the Whitelisted scopes set for the rules. Whitelist alerts can also be filtered by the specific reasons for the alerts (Alert Reason filter).  

Whitelist alerts suppressed from the Summary alert page are listed in the Suppressed Alerts tab of the policy.

Before you begin

In an Xprotect policy (applies to both Host policy and User policy), Whitelist rules can co-exist with Blacklist, Rule Rings, and File Protect rules. For a policy containing multiple types of rules, the overall behavior of the policy depends on Xprotect's intelligent 'order of processing for multiple types of rules in a policy'.

For example, if an enforced Whitelist rule and an enforced Blacklist rule exist in a policy at the same scope, the Blacklist rule is 'dominant', and the applications and processes in the entire scope are blocked/killed. 

Add Whitelist rules

You can add Whitelist rules directly to a policy or convert an alert to a rule and add it to a policy (from the Alerts page).

Directly add rules to a policy

The following steps assume that you are adding Whitelist rules to an existing policy. Other cases to add Whitelist rules are when you create a standalone Whitelist policy or when you are creating a new policy and adding Whitelist rules.

  1. Go to Policies and go to Host policies or User policies.

  2. Click the 3-dot menu of a policy and click View and Edit Policy.

  3. Click Application Control.

  4. Click Add Rule Stack to add a new rule stack or go to an existing rule stack and click Add Rule.

  5. Select the scope of the Whitelist rule (Directory, Path, File Name, or MD5) and enter the details.

  6. Select Whitelist.

  7. (Optional) Enter One or more MD5s and/or command lines that must be Whitelisted.

  8. (Optional) Click the 3-dot menu of the rule and set the controls for the rule.

  9. Click Save.

    When you save a rule, the policy is saved automatically with the new rule.

  10. Add more rules.

  11. When you are ready to push the policy, push it to the hosts from the Policies page. See Push policies to hosts for more details.

Convert alerts to rules and add them to a policy

You can also convert Whitelist alerts to Whitelist rules and add them to a policy. This can save considerable time with whitelisting necessary applications and processes. See Add Whitelist alerts as Whitelist rules to policies for more details.

Multiple MD5s and command lines in a rule

  • Add multiple MD5s to Whitelist multiple MD5s of an application or Whitelist MD5s of multiple applications located in a directory. 

  • Add multiple command lines to Whitelist commands run from an application or multiple applications located in a directory.

Rule violations on hosts

With Whitelist rules enforced on a host, if non-whitelisted applications and processes try to run, you will see an 'access denied', 'insufficient privileges', or an equivalent message. 

Edit or move Whitelist rules

Whitelist rules can be edited or moved across stacks of the policy for better organization. When rules are edited or deleted, you must push the policy to the hosts. 

  • For a more focused view of rules, filter the rules by their attributes. Click the Filters icon, select the rule attributes and click Apply. Rule attributes include Rule Type, Status (Active and Paused), and Rule Behavior (Use Policy settings control, Monitor mode, and Enforce mode)

  • To push a policy after the rules are changed, click the Push Policy icon and push the policy to the hosts. 

  • To delete rules across the current policy and other policies in which the exact rule exists, click the 3-dot menu of the rule and click Delete Rule or Delete from Policies. When rules are deleted from multiple selected policies, click Immediately Push Policy Update to remove the rule for all relevant hosts

Disable Whitelist rules

Whitelist rules can be disabled selectively (at the rule level) or at the policy level.

  • To disable all Whitelist rules in a policy, go to Policy Settings, pause Whitelist, click Save, and push the policy to the hosts.

  • To disable Whitelist rules selectively, you must locate the rules in your policy and Pause them. Save the policy and push it to the hosts. 

    Click the 3-dot menu of the policy, click View and Edit Policy, go to the rule, and set the Status of the rule to Paused.

Next steps

  • Change AutoTrust settings - AutoTrust can help you regulate application and process behavior for applications and processes that are not yet part of the rules in the policy. AutoTrust settings are set by the level of risk associated with the applications and processes. See AutoTrust settings for policies for more details. 

  • Push the policy - all the changes you make to the Whitelist rules and Policy settings require that you push the policy again to the hosts for the changes to take effect. 

    Active policies that are edited and not yet pushed display an Orange exclamation in the Status column on the Policies page. See Push policies to hosts for more details.

  • Verify Whitelist changes - Audit logs are generated when you add or delete Whitelist rules. Go to the Audit Logs page and filter the page by the relevant Audit Actions. See Audit logs for more details.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.