Policy settings
Policy settings for an Xprotect Host policy help you activate or deactivate the rules in the policy, and other security and operational features globally, for all hosts that use the policy. Using different sets of Policy settings (for different policies) can help you focus on the type of process behavior that you want to allow, monitor, or block on specific groups of hosts.
User policies inherit the Policy settings of the Host policy enforced on the hosts.
See Policy settings for a Host policy
For the new Host policies you create on your instance, the default Policy settings are similar to that of the Policy settings for the Out-of-the-box policies (Default policies). See Out-of-the-box Xprotect policies for more details about Default policies.
-
Go to Policies.
-
Click the 3-dot menu of the policy and click View and Edit Policy.
-
Click the Policy Settings icon (on the top-right corner of the page).
You will see the General and Advanced settings for the policy.
General settings
The General settings for a Host policy determine the following:
-
Whether the Application Control rules and the File Protect rules in the policy must be processed in the Monitor mode or the Enforce mode, and how rule violations must be handled
-
Whether the policy must use the AutoTrust settings and how trust violations must be handled
-
If USB Protect is enabled on the hosts
| Setting |
Controls |
| Whitelist |
-
Active/Paused - turns Green when Active and Grey when Paused. When set to Active, Whitelist rules are processed by the other controls for this setting. When Paused, Whitelist rules are not processed.
-
Monitor - select this to only monitor the processes that not part of the Whitelist rules and not block or kill them. By design, alerts are generated.
-
Enforce - select this to block or kill the processes that are not part of the Whitelist rules. You can choose whether to get alerts when processes are killed or blocked.
-
Log Alert - select this to see alerts on the Alerts page when enforced Whitelist rules are violated. In the Monitor mode, alerts are always logged, and this option is disabled.
See Add Whitelist (Application Control) rules for more details. |
| Blacklist |
-
Active/Paused - turns Green when Active and Grey when Paused. When set to Active, Blacklist rules are processed by the other controls for this setting. When Paused, Blacklist rules are not processed.
-
Monitor - select this to only monitor the processes that part of the Blacklist rules and not block or kill them. By design, alerts are generated.
-
Enforce - select this to block or kill the processes that are part of the Blacklist rules. You can choose whether to get alerts when processes are killed or blocked.
-
Log Alert - select this to see alerts on the Alerts page when enforced Blacklist rules are violated. In the Monitor mode, alerts are always logged, and this option is disabled.
See Add Blacklist (Application Control) rules for more details. |
| Rule Rings |
-
Active/Paused - turns Green when Active and Grey when Paused. When set to Active, Rule Rings rules are processed by the controls you specify for the individual Rule Rings rules. When Paused, Rule Rings rules are not processed.
See Add Rule Rings (Application Control) rules for more details. |
| File Protect |
-
Active/Paused - turns Green when Active and Grey when Paused. When set to Active, File Protect rules are processed by the controls you specify for the individual File Protect rules. When Paused, File Protect rules are not processed.
-
Force Monitor - select this to only monitor the access conditions set in the rules and not process the rule action for the accesses. By design, alerts are generated.
See Add File Protect rules for more details. |
| USB Protect |
-
Active/Paused - turns Green when Active and Grey when Paused. When set to Active, USB Protect is enabled by the other controls you specify for this setting. When Paused, USB Protect is not enabled.
Select the following controls to control USB access.
-
Read - the host reads the USB device and displays the files saved on the device. You can open the files, but you cannot copy them to the host. Also, you cannot copy files to the USB device.
-
Write - in addition to Read access, you can copy files from or to the USB device.
-
Execute - in addition to Read access, you can execute programs and utilities saved on the USB device.
-
Delete - in addition to Read access, you can delete the files on the USB device.
-
Block All Access - block all types of access to USB devices.
See Enable USB Protect for policies for more details. |
| AutoTrust |
-
Active/Paused - turns Green when Active and Grey when Paused. When set to Active, AutoTrust controls are processed by the controls you specify on the AutoTrust tab of the policy. When Paused, AutoTrust controls are not processed.
See AutoTrust for policies for more details. |
Advanced settings
The Advanced settings for a Host policy help you:
-
Control the frequency of communication between the hosts and the Xprotect instance. You can set a time window to distance consecutive operations/jobs on the hosts. Operations include (but are not limited to) policy updates, restarting, upgrading, and uninstalling agents, and isolating or fetching files from hosts.
-
Control the impact of network connections-based Rule Rings rules on the hosts. You can override network connections-based Rule Rings rules on selected hosts (by their IP addresses) and selected ports on the hosts.
| Setting |
Controls |
| Agent Fetches Commands Every |
-
Set a time window by using the drop-down lists to specify how frequently agents on the hosts (to which the policy is pushed) must receive policy updates and run jobs from the instance. The default time window is One minute. For example, with the time window set to 2 hours and a policy update currently in progress (11:25 AM) on hostA, if you trigger a file-fetch job, the file-fetch job is executed only after 1:25 PM.
|
| Monitor Network Protocols |
-
Active/Paused - turns Green when Active and Grey when Paused. When set to Active, all the incoming and outgoing TCP and/or UDP connections (from/to the hosts) are monitored. The connections are allowed or blocked by the network connections-related Rule Rings rules in the policy. The alerts generated for rule violations are listed in the Network Connections Not Allowed alert category. When Paused, TCP and UDP connections-related Rule Rings rules in the policy are overridden and not processed.
|
| Network Monitoring - Exclude TCP Destinations |
-
Click Exclude Destination to add a list of IP addresses and TCP ports that must be excluded from monitoring if you have set TCP monitoring to Active. IP addresses can be specified in IPv4 or IPv6 format as a single IP address, a range of IP addresses, and in CIDR format. Separate multiple entries with a comma (,) Port numbers can be specified as a single port number, a range of ports, and as a wildcard by using an asterisk (*). Asterisk excludes all ports from 0 to 65535. Separate multiple entries with a comma (,)
|
Change default or existing Host Policy settings
Change the default or the existing Host Policy settings to improve or relax the security on the hosts.
-
Go to Policies.
-
Click the 3-dot menu of a custom policy and click View and Edit Policy.
-
Click the Policy Settings icon (located at the top-right corner of the page).
-
Change the default or the existing settings.
-
Click Save.
When you change Policy settings, the policy is moved to the 'Applied' state ( in the Status column on the Policies page). For new Policy settings to take effect, the policy must be successfully pushed to the hosts in the groups. See Push policies to hosts for more details.
Set temporary 'General' Host Policy settings
You can harden or relax the security on 'secure' hosts (hosts with active Xprotect policies) by applying a set of 'temporary' Policy settings. Temporary Policy settings are applied for a specific time window; after the window, the original policy's Policy settings take effect. Only General Policy settings can be changed; the Advanced Policy settings are always from the original policy.
