Creating a Whitelist Policy

Scenarios

Before enabling application process control, you need to create a whitelist policy and configure the HSS learning duration, the way to confirm learning outcomes, the way policy takes effect, and the action taken on malicious processes. HSS will manage application processes based on your policies.

Creating a Whitelist Policy

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.

In the navigation tree, choose Server Protection > Application Process Control.
Click the Whitelist Policies tab. Click Create Policy.

In the Create Policy dialog box, configure policy parameters. For details about related parameters, see Table 1.

Figure 1 Creating a whitelist policy
Click to enlarge

**Table 1** Whitelist policy parameters
Parameter	Description	Example Value
Policy Mode	Mode of the application process control policy. The conservative mode is used by default. Trustworthy and suspicious processes are allowed to run. Alarms are generated only for malicious processes.	-
Policy Name	A whitelist policy name is generated by default. You are advised to set a custom name to facilitate management.	test
Intelligent Learning Period	Number of days that HSS learns the application processes on servers. A long learning period indicates accurate learning outcomes.	7
Confirm Learning Outcomes	The way to confirm suspicious processes with insignificant characteristics after HSS completes learning on the servers associated with the policy. Automatically: HSS automatically marks suspicious application processes with insignificant characteristics based on the application process signature database. Manually: After HSS finishes learning based on policy configurations, choose Application Process Control > Whitelist Policies. Click a policy name. On the policy details page, click the Process Files tab and filter processes in the To be confirmed state. Manually mark suspicious processes with insignificant characteristics.	Automatically
Apply Policy After Learning	The way application process control is enabled after HSS completes learning on the servers associated with the policy. Automatically: Application process control is automatically enabled after HSS completes learning on the servers associated with the policy. Manually: Manually enable application process control as needed after HSS completes learning. For more information, see Enabling Application Process Control.	Automatically
Action	Action taken when a malicious process is detected. Alarms are generated for malicious processes.	Report alarm
Servers	Servers to be protected. The agent version falls within the following scope. For details about how to upgrade the agent, see Viewing Server Protection Status.	-

Click OK.

You can view the created policy and its status in the policy list. For more information, see Table 2.

**Table 2** Policy status description
Policy Status	Description
Learning	HSS is learning the characteristics of the application processes on servers. Please wait.
Learning complete but not in effect	The server characteristics associated with the policy have been learned. Confirm the learning outcomes. For details, see Confirming Learning Outcomes.
Learning complete and in effect	Application process control protection has been enabled for servers.

Related Operations

Editing a whitelist policy

You can modify the policy mode, action, or protected servers in a whitelist policy.

In the row of a policy, click Edit in the Operation column.
In the Edit Policy dialog box, modify parameters and click OK.

Deleting a whitelist policy

If you no longer need HSS to provide application process control for the servers associated with a policy and do not need to retain the application process information learned by HSS, you can delete the whitelist policy. If you need to enable application process control for the servers after the deletion, HSS will need to start learning again. Exercise caution when performing this operation.