1 Reply Latest reply on Apr 10, 2015 9:34 AM by wwarren

    Access Protection Policy: Establishing a baseline AKA defining exclusions

    pwalski

      Hello,

       

      I have been struggling with finding the correct answer (if one actually exists) for our VSE policy baseline. I spent the last month essentially ripping out my organizations existing AV solution (rhymes with blimptantec) and implementing VSE 8.8 for all workstations and servers (rather servers that weren't virtual, they got MOVE). All in all it's about 2500 endpoints. It was kind of a speedy process and now I'm in evaluation mode. Basically I have a majority of the AP policies with Reporting enabled and using that essentially as my learning mode. From that I'll develop the exclusion list and likely switch it from reporting to block where appropriate. I have some server tasks that are executing daily queries and I'm feeding the results into an Excel pivot table for easier reading. But what I'm seeing on a daily basis is a AP rule violation and NOT blocked threat count in excess of 150k.

      dailythreatevents.JPG

       

      I've attached some examples of what I'm seeing from a 24 hours breakdown perspective, and alot of them are standard applications (Outlook, Word, Excel, IE, etc). My concern is that do I add those to the processes to exclude list? But I don't necessarily want to add rundll32.exe, msiexec.exe, or svchost.exe to that list do I?

      example1.JPGexample2.JPG

       

      Ultimately my issue is that I seem to have just a lot of noise that is getting in the way of isolating actual or potential threats and looking for any advice on how to go about tackling it.

       

      Thanks in advance for any advice.

        • 1. Re: Access Protection Policy: Establishing a baseline AKA defining exclusions
          wwarren

          I would've gone with using our default AP rules, then decide if you want/need further AP rules after a time.

          This blog will help with some understanding of the feature: Access Protection - How To...

           

          In reply to your immediate need, you have enabled rules we do not enable by default. Rules not enabled by default typically require tuning - possibly a lot of tuning - because there may be literally hundreds of applications in an environment that violate them and we haven't the time or knowledgebase to know what all the legitimate apps are vs. potentially malicious, and also because some processes that you may need to exclude could render the whole rule pointless so we don't exclude them... you might have to.

           

          It's up to you if you want to exclude all those processes reporting back with violations, knowing that if you don't, when you switch the rule to block you could end up breaking those applications (until the rule is disabled, or the affected process gets added as an exclusion to the rule - it would be a very delicate app where Access Protection could actually break it ).

          Another long-term option is to make recommendations to the vendor of the app, asking them if it's possible for their app to not do things malware has been known to do. They may give you a few choice words in return, like you're asking the impossible, and sometimes they'll be right.