Updated on 2023-02-16 GMT+08:00

Applying a Whitelist Policy

You can apply whitelist policies to your servers. A machine learning engine will automatically analyze operations performed on the servers. In this way, HSS will check whether suspicious or malicious processes exist on your servers, and report alarms on or isolate the processes that are not in the whitelist.

Prerequisites

  • The premium edition has been enabled.
  • The server you want to apply the policy to is in the Running state, its agent is in the Online state, and the premium edition has been enabled for the server.
  • Only one whitelist policy can be applied to a server.

Creating a Whitelist Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. On the Programs page, click the Whitelist Policies tab, and click Create Policy, as shown in Figure 1.

    Figure 1 Creating a whitelist policy

  4. Set policy details, as shown in Figure 2.

    • Policy Name: Set a policy name.
    • Intelligent Learning Period: Select 7 days, 15 days, or 30 days.
      The period you select must be long enough for the policy to learn about all the common operations performed on your servers. Otherwise, intelligent learning results will be inaccurate.
      Figure 2 Configuring a policy

  5. Click Add Server to add an intelligent learning server, as shown in Figure 3.

    • The server you want to apply the policy to must be in the Running state, its agent must be in the Online state, and the premium edition must be enabled for the server.
    • You can add one or more servers. HSS will learn operations performed on them and identify trusted, untrusted, and unknown applications.
    Figure 3 Adding servers for policy learning

  6. Click OK.

    • In the server list, you can view the service name, IP address, and system of each server.
    • You can add or remove learning servers as required.

  7. Click Create and Learn.

    In the whitelist policy list, you can view the policy name, protected servers, policy status, applications, and whether a policy is enabled.

  8. Wait until the whitelist policy learning is complete and the policy status becomes Learning complete. Policy not in effect, and click to enable the whitelist policy.

    After the whitelist policy is enabled, if its status becomes Learning complete. Policy in effect, the whitelist policy is successfully created.

Associating Servers

After a whitelist policy is created, you can associate servers with it. HSS will check for suspicious or malicious processes on the associated servers.

You can only associate servers with a whitelist policy whose status is Learning complete. Policy in effect.

  1. Click Applications, as shown in Figure 4.

    Figure 4 Associating servers

  2. In the displayed dialog box, select Alarm for Action and select servers, as shown in Figure 5.

    Figure 5 Selecting servers

  3. Click OK.

    The number of servers associated with the whitelist policy will be displayed in the whitelist policy list.

Follow-Up Procedure

Managing protected servers

  • To add servers, click the Servers Protected tab and click Add to Policy.

    You can check the server names and IP addresses, whitelist policy, number of suspicious operations, and the way to handle the operations.

  • To remove a protected server, click Delete in the Operation column. After a whitelist policy is deleted, the applications on the servers associated to it will no longer be protected.

Editing a whitelist policy

You can click Edit to modify the period and servers for intelligent learning.

Exercise caution when modifying the intelligent learning period of a policy. Before the learning completes, servers associated to the policy are not protected.

Deleting a whitelist policy

You can click the Delete button to delete a whitelist policy.