Updated on 2024-09-25 GMT+08:00

Creating a Whitelist Policy

Before enabling application process control, you need to create a whitelist policy and configure the HSS learning duration, the way to confirm learning outcomes, the way policy takes effect, and the action taken on suspicious or malicious processes. HSS will manage application processes based on your policies.

Creating a Whitelist Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  1. In the navigation tree, choose Server Protection > Application Process Control.
  2. Click the Whitelist Policies tab. Click Create Policy.
  3. In the Create Policy dialog box, configure policy parameters. For details about related parameters, see Table 1.

    Figure 1 Creating a whitelist policy
    Table 1 Whitelist policy parameters

    Parameter

    Description

    Example Value

    Policy Mode

    Mode of the application process control policy.

    The conservative mode is used by default. Trustworthy and suspicious processes are allowed to run. Alarms are generated only for malicious processes.

    -

    Policy Name

    A whitelist policy name is generated by default. You are advised to set a custom name to facilitate management.

    test

    Intelligent Learning Period

    Number of days that HSS learns the application processes on servers. A long learning period indicates accurate learning outcomes.

    7

    Confirm Learning Outcomes

    The way to confirm suspicious processes with insignificant characteristics after HSS completes learning on the servers associated with the policy.

    • Automatically: HSS automatically marks suspicious application processes with insignificant characteristics based on the application process signature database.
    • Manually: Choose Application Process Control > Whitelist Policies. Click a policy name. On the policy details page, click the Process Files tab and filter processes in the To be confirmed state. Manually mark suspicious processes with insignificant characteristics.

    Automatically

    Apply Policy After Learning

    The way application process control is enabled after HSS completes learning on the servers associated with the policy.

    • Automatically: Application process control is automatically enabled after HSS completes learning on the servers associated with the policy.
    • Manually: Manually enable application process control as needed after HSS completes learning. For more information, see Enabling Application Process Control.

    Automatically

    Action

    Action taken when a malicious process is detected. Alarms are generated for malicious processes.

    Report alarm

    Servers

    Servers to be protected. The agent version falls within the following scope. For details about how to upgrade the agent, see Viewing Server Protection Status.

    -

  4. Click OK.

    You can view the created policy and its status in the policy list.

    After a whitelist policy is created, HSS automatically starts learning the application process characteristics of the servers associated with the policy. If the policy status changes to Learning complete but not in effect, you can confirm learning outcomes.

Related Operations

Editing a whitelist policy

You can modify the policy mode, action, or protected servers in a whitelist policy.

  1. In the row of a policy, click Edit in the Operation column.
  2. In the Edit Policy dialog box, modify parameters and click OK.

Deleting a whitelist policy

If you no longer need HSS to provide application process control for the servers associated with a policy and do not need to retain the application process information learned by HSS, you can delete the whitelist policy. If you need to enable application process control for the servers after the deletion, HSS will need to start learning again. Exercise caution when performing this operation.

  1. In the row of a policy, click Delete in the Operation column.
  2. In the displayed dialog box, click OK.