When installing the Block 64 Windows Application you might get notifications from your security tools informing you that they have quarantined/removed a file. For our tool to be successful in your environment, we will need to whitelist the application, similar to what you might have done for other applications running in your environment. More info on Block 64 and Endpoint Security can be found - here.
The Network Ports We Leverage
A question we often get leading up to deployment or during troubleshooting is: what ports will your inventory and other processes be leveraging on my network? We have a complete list below – but some good news is that these ports are very rarely – if ever – blocked. Here is the complete list of ports we presently leverage for inventory purposes:
Windows Inventory*:
- TCP 135, 1025-5000 and 49152-65535 (WMI)
- TCP 445 (SMB – RPC)
- TCP 1025 (Alternate Netbios)
- TCP port 465 (SSL-Encrypted Email)
- TCP 139 (NetBIOS)
- UDP 137 (NetBIOS)
Active Directory Data:
- TCP 389 (LDAP)
- TCP 636 (LDAPS)
External Data Feeds:
- HTTP 80 (External Data Feeds)
- HTTP/SSL 443 (External Data Feeds + Updates/Patches + External Data/Debug Transfer)
Linux Inventory:
- TCP 22 (SSH) (OSX + POSIX-Compliant Inventory + CLI access)
Common Anti-Virus/Security Suites
-
- Norton 360
- Bitdefender Total Security
- Total AV
- Avira Free Security
- BullGuard Antivirus
- Panda Adaptive Defense 360
- Kaspersky EDR
- Trend Micro Worry-Free
- Avast
- ESET Endpoint Security
- Carbon Black
- Microsoft Windows Defender
- Sophos Intercept X Advanced with EDR
- SentinelOne Endpoint Protection
- Symantec ATP (Advanced Threat Protection)
- Palo Alto Cortex XDR
- Cisco AMP for Endpoints
- McAfee Endpoint Security
- Malwarebytes
- Crowdstrike
Norton 360 – Version 22.20.5.39
- Open Norton 360
- Click Settings in the top right corner
- Click Firewall
- Click the traffic rules tab
- Click the “Add” button
- Select the “Allow” option and click the “Next >” button
- Select the “Connections to and from other computers” option and click the “Next >” button
- Select the “Any computer in the local subnet” option and click the “Next >” button
- Select the “TCP” from the drop-down menu and select “The rule will apply old if it matches all of the ports listed below
- Click the add button and select “TCP 135, TCP 445, TCP 139, TCP 1025, TCP 389, TCP 22” then click the “OK” button
- Click “Next >” button x2
- Name the firewall rule and click “Next >” Button
- Click the “Finish” Button
- Click the “Add” button again
- Select the “Allow” option and click the “Next >” button
- Select the “Connections to and from other computers” option and click the “Next >” button
- Select the “Any computer in the local subnet” option and click the “Next >” button
- Select the “UDP” from the drop-down menu and select “The rule will apply old if it matches all of the ports listed below
- Click the add button and select “UDP 137, UDP 53” then click the “OK” button
- Click “Next >” button x2
- Name the firewall rule and click “Next >” Button
- Click the “Finish” Button
- Click the “Add” button again
- Select the “Allow” option and click the “Next >” button
- Select the “Connections to other computers” option and click the “Next >” button
- Select the “Any computer” option and click the “Next >” button
- Select the “TCP” from the drop-down menu and select “The rule will apply old if it matches all of the ports listed below
- Click the add button and select “Port range” then type in “1025-5000” then click the “OK” button. Do the same for “49152-65535”. Also add individually specified ports: “port 443” & “port 7295”.
- Click “Next >” button x2
- Name the firewall rule and click “Next >” Button
- Click the “Finish” Button
- Click apply to apply the new rules.
To take this one step further you can find the local host IP address and modify each rule you created to only allow connections with that IP. To do this you click on the rule and then click on the modify button. Navigate to the “Computers” tab and select “Only the computers and sites listed below:”. Then enter computers by name or by IP address and just add to the list.
Bitdefender Total Security - Version 25.0.14.58
- Open Bitdefender and go to Protection.
- Click on Antivirus, click Open.
- Click on the Settings tab
- Click Manage Exceptions.
- Click +Add an Exception.
- Enter the path of the folder you want to except from scanning in the corresponding field. Alternatively, you can navigate to the folder by clicking the browse button in the right side of the interface, select it and click on OK.
- Turn on the switch next to the protection feature that should not scan the folder. There are three options:
- Antivirus
- Online Threat Prevention
- Advanced Threat Defense
- Click Save to save the changes and close the window.
Total AV - Version 5.14.15
File/folder/process exclusions & whitelisting domains
1. Open TotalAV.
2. Navigate to **Settings**.
3. Select **Antivirus**.
4. Click on **Manage Exclusions**.
5. Click **Add Exclusion**.
6. Browse and select the file or folder to exclude.
7. Confirm to add the exclusion.
https://support.totalav.com/en/kb/article/341/firewall-blocked-a-connection
If you are seeing the notification 'Firewall blocked a connection,' it is likely that you have your 'Outbound Traffic' setting as OFF.
- Within your TotalAV application you have a section dedicated to Firewall settings.
- These controls allow you to manage both incoming and outgoing network traffic based on your settings.
Follow the simple steps below to re-enable this setting which will remove the blocked notification you are currently faced with.
- Open up you TotalAV application
- Select 'Web Security' option on the left-hand side
- Select the 'Firewall' tile
- Use the toggle to turn on 'Allow Outbound Traffic'
Avira Free Security – Unknown Version – Tested on 2021-02-24
To get to firewall settings:
- Click on the “Security” tab on the left nav bar.
- Click on firewall.
- Click on advanced settings.
- Windows Defender Firewall with Advanced Security should open and from there you can navigate to inbound or outbound rules on the left and add rules accordingly.
Additional Avira AV whitelisting information:
- Click the Avira icon in the system tray to open the Avira user interface.
- Click Security in the left menu.
- Click the module Protection options.
- Click the Setting icon of the Real-time protection.
- Navigate to PC Protection→ Real-Time Protection → Exceptions.
Set exceptions
Add files to be omitted for both System Scanner and the Real-time protection in the configuration window. For Real-time protection, you may also specify processes to be omitted from scanning.
Note If you want to add directories as exceptions, you have to add a backslash \
Example of a correct exception: C:\testfolder\
BullGuard Antivirus – Version 21.0.385.9
This AV quarantines Block64.exe tried the steps below, other guides online and playing around with it myself and couldn’t even get the application to install properly without turning the AV off. Even once AV is toggled off, it tries to prevent network access. A pop-up comes up and I clicked “allow access” and Block was still having issues. Block ends up displaying a message saying “Could not connect to Block 64 service!” & “Please confirm that the Block 64 service is running and try again” with a retry button. When pressing the retry button the app processes the request and tries to reconnect to the service for about 30 seconds before displaying the same messages.
https://antivirus-scan.co/how-to-unblock-something-on-bullguard
- On your computer, open the Bullguard firewall application.
- Navigate to the Settings section and then choose the Antivirus option.
- Next, go to Advanced and select the Tuning option.
- Now, select the checkbox provided next to the Skip files/folders option.
- Click the highlighted files/folders title.
- Finally, click the Plus (+) sign that is provided in the section that is currently open. By performing this action, you will be adding an exception to the concerned folder.
Panda Adaptive Defense 360
Preliminary steps
Before applying any exclusion for the permanent protection, ensure the following statements are true:
Folder exclusions:
- Exclusions CONTAIN full path.
- Exclusions DO NOT CONTAIN mapped drives.
- Exclusions to network locations CONTAIN full UNC path.
- User environment and variables are NOT supported (except for the Advanced Protection featured in Adaptive Defense 360 and Adaptive Defense).
- Wildcards and question marks are NOT supported. Examples of CORRECT folder exclusions: C:\windows\system32 \\192.168.21.23\test %ProgramFiles%\Test Examples of INCORRECT folder exclusions: Z:\ (where z is a mapped drive) C:\temp*\ C:\?indows
File exclusions:
- Exclusions CONTAIN full path.
- Exclusions DO NOT CONTAIN mapped drives.
- Exclusions to network locations CONTAIN full UNC path.
- Wildcards and question marks are NOT supported. Examples of CORRECT exclusions: C:\windows\system32\filename.dll Examples of INCORRECT exclusions: C:\Wind*\System32\test.exe C:\windows\????.dll
Solution
Follow the instructions below in order to exclude elements from the scan:
NOTE: The example below covers excluding files for an individual Windows server (an Exchange server), but the procedure to exclude files for a workstation or a group of machines is the same. Just right click on the appropriate container in the console.
- Access the Web Console.
- In the Settings tab, Profiles section, select the profile that is applied to the server where the Exchange is installed.
- Once in the Edit Profile screen, select Antivirus option and once there, in the Files tab, click Advanced settings.
- On the Advanced settings screen enter any needed exclusions, such as:
- Directories
- files
- extensions
- Once all exclusions have been included, save the changes. These changes will be applied in the next update of the signature file.
Kaspersky EDR
Configuring white list mode
When configuring white list mode, it is recommended to perform the following actions:
-
- Create application categories containing the applications that must be allowed to start.
You can select one of the following methods for creating application categories:
-
-
- Category with content added manually (Step 3. Configuring the conditions for including applications in a category, Step 4. Configuring the conditions for excluding applications from a category). You can manually add to this category by using the following conditions:
- File metadata. If this condition is used, Kaspersky Security Center adds all executable files accompanied by the specified metadata to the application category.
- File hash code. If this condition is used, Kaspersky Security Center adds all executable files with the specified hash to the application category.
- Use of this condition excludes the capability to automatically install updates because different versions of files will have a different hash.
- File certificate. If this condition is used, Kaspersky Security Center adds all executable files signed with the specified certificate to the application category.
- KL category. If this condition is used, Kaspersky Security Center adds all applications that are in the specified KL category to the application category.
- Path to application. If this condition is used, Kaspersky Security Center adds all executable files from this folder to the application category.
- Use of the Application folder condition may be unsafe because any application from the specified folder will be allowed to start. It is recommended to apply rules that use the application categories with the Application folder condition only to those users for whom the automatic installation of updates must be allowed.
- You can also add executable files from the Executable files folder to an application category with content added manually.
- Category that includes executable files from selected folder. You can specify a folder from which executable files will be automatically assigned to the created application category.
- Category which includes executable files from selected devices. You can specify a computer for which all executable files will be automatically assigned to the created application category.
- When using this method of creating application categories, Kaspersky Security Center receives information about applications on the computer from a list of executable files.
- Category with content added manually (Step 3. Configuring the conditions for including applications in a category, Step 4. Configuring the conditions for excluding applications from a category). You can manually add to this category by using the following conditions:
- Select white list mode for the Application Control component.
- Create Application Control rules using the created application categories.
-
The initially defined rules for white list mode are the Golden Image rule, which allows the startup of applications that are included in the Golden Image KL category, and the Trusted Updaters rule, which allows the startup of applications that are included in the Trusted Updaters KL category. The "Golden Image" KL category includes programs that ensure normal operation of the operating system. The "Trusted Updaters" KL category includes updaters for the most reputable software vendors. You cannot delete these rules. The settings of these rules cannot be edited. By default, the Golden Image rule is enabled, and the Trusted Updaters rule is disabled. All users are allowed to start applications that match the trigger conditions of these rules.
- Determine the applications for which automatic installation of updates must be allowed.
You can allow automatic installation of updates in one of the following ways:
-
- Specify an extended list of allowed applications by allowing the startup of all applications that belong to any KL category.
- Specify an extended list of allowed applications by allowing the startup of all applications that are signed with certificates.
- To allow the startup of all applications signed with certificates, you can create a category with a certificate-based condition that uses only the Subject parameter with the value *.
- For the Application control rule, select the Trusted Updaters parameter. If this check box is selected, Kaspersky Endpoint Security considers the applications included in the rule as Trusted Updaters. Kaspersky Endpoint Security allows the startup of applications that have been installed or updated by the applications included in the rule. However, these applications cannot be within the scope of any block rules.
- When Kaspersky Endpoint Security settings are migrated, the list of executable files created by trusted updaters is migrated as well.
- Create a folder and place within it the executable files of applications for which you want to allow automatic installation of updates. Then create an
application category with the "Application folder" condition and specify the path to that folder. Then create an allow rule and select this category.
- Use of the Application folder condition may be unsafe because any application from the specified folder will be allowed to start. It is recommended to apply rules that use the application categories with the Application folder condition only to those users for whom the automatic installation of updates must be allowed.
Trend Micro Worry-Free
Whitelisting by Domain in Trend Micro
The whitelisting process is broken down into 5 sections. Each section has its own steps for configuration and must be completed to successfully whitelist Block64.
Advanced Spam Protection
-
- Navigate to the Advanced Threat Protection tab > Add.
- Select the policy to create based on the service:
- Exchange
- OneDrive
- SharePoint
- Box
- Dropbox
- On the left, select Advanced Spam Protection.
- Check the Enable Advanced Spam Protection option.
- Select the Approved/Blocked Sender List section.
- Check the box next to the Enable the approved sender list option.
- Enter *block64.com in the text field and click the Add > button.
- Select the Rules configuration section.
- Under the Apply to: drop-down, select the Incoming messages option.
- For Detection Level:, select the Medium option.
Malware Scanning
-
- On the left, select Malware Scanning.
- Select the Rules configuration section.
- Under the Apply to: drop-down, select the All messages option.
- Under Malware Scanning, select Scan all files and check the box next to Scan message body and Enable IntelliTrap.
- Select the Action configuration section.
- For Action:, select the Trend Micro recommend actions option from the drop-down.
- For Notification:, select the Notify option from the drop-down.
File Blocking
-
- On the left, select File Blocking and select Enable File Blocking. We recommend keeping File Blocking on because you cannot limit this option to Block64 messages. Turning off File Blocking could allow potentially malicious attachments through to your users.
Web Reputation
-
- On the left, select Web Reputation.
- Check the Enable Web Reputation option.
- Select the Rules configuration section.
- Under the Apply to: drop-down, select the All messages option.
- For Security Level:, select the Medium option.
- Select the Approved/Blocked URL List section.
- Check the box next to the Enable the approved URL list option.
- Check the box next to the Add internal domains to the approved URL list option.
- Enter our landing page domains in the text field. For the most up-to-date list of our domains, please see this article.
- Then, click the Add > button.
Note: You can click the Import button to import URLs in batches.
Virtual Analyzer
- On the left, select Virtual Analyzer.
- Check the Enable Virtual Analyzer option.
- Click the Save button.
Once all steps in each section are completed, your new policy will appear under the Advanced Threat Protection tab.
Direct link to Trend Micro Guide
Avast
- Open Avast Antivirus and go to ☰ Menu ▸ Settings.
- Select Protection ▸ Core Shields.
- Unselect the “Enable CyberCapture” checkbox
- Close Avast menu and run the Block installer.
Additional whitelist steps found online:
- Open Avast Antivirus and go to ☰ Menu ▸ Settings.
- Select General ▸ Exceptions.
- Click Add Exception.
- Add an exception in one of the following ways:
- Type the specific file path, folder path, or URL into the text box, then click Add Exception.
- Click Browse, tick the box next to the file or folder you want to exclude, then click OK.
- Click More, type the Process Name and Command Line Parameters, then click Add Command Line Exception.
NOTE: Adding a Command Line exception allows you to exclude all files on your hard disk drive that have the same file name, even though the files are located in different folders.
ESET Endpoint Security – 8.0.2028.0
Adding IDS Rules After Installation
- Open ESET Advanced Endpoint Security.
- Navigate to the “SETUP” tab on the left nav bar.
- Click on “Advanced setup in the bottom right corner of the application.
- Click on “NETWORK PROTECTION” on the left navbar and this should expand some more options, from the other options click on “Network attack protection”.
- Once under Network attack protection, click on “Edit” to the right of “IDS rules”
- From here you can add an IDS rules to allow for the block64 application within the install directory to be whitelisted
ESET Security – 14.0.22.0 - Firewall Rule
- Open the main program window of your ESET Windows product.
- Press the F5 key to access Advanced setup.
- Click Network Protection→ Firewall, select Interactive mode from the Filtering mode drop-down menu, and then click OK to save your changes.
- Attempt to run the application or connect to the device that was blocked. Your ESET product will prompt you to allow or deny each connection that is not already affected by an existing rule. To create the rules you need to unblock your application or device, select Create rule and remember permanently and click Allow.
- Press the F5 key on your keyboard to access Advanced setup.
- Click Network Protection → Firewall, expand Advanced and then click Allowed Services.
- Under Allowed Services, make sure that all of the slider bars are enabled. When you are finished, click OK.
- When you have finished creating rules for the applications or devices you want to allow to connect to your home network, reset the filtering mode to automatic. Click Network Protection → Firewall, select Automatic mode from the Filtering mode drop-down menu,and then click OK twice to save your changes and exit Advanced setup.
Creating Rules Firewall Rule
- Press the F5 key on your keyboard to access Advanced setup.
- Click Network Protection → Firewall, expand Advanced and then click Allowed Services.
- Click “Edit” found to the right of “Rules”.
- Click the “Add” button.
- Name the rule something appropriate. Switch the direction to “Both”, Action to “Allow”, and the protocol to “TCP”.
- Navigate to the remote tab and enter in the following ports to the port text input field.
- 135
- 1025-5000
- 49152-65535
- 139
- 1025
- 389
- 22
- 7295
- 443
- Click the “Ok” button.
- Add another rule for UDP port 137, following the same steps. Switch TCP to UDP in the protocol section and the rest is the same.
To create an exception for internal IP traffic:
1. Determine if the IP address detected in the notification is a number that falls within the following range (where "x" is 0-255): • 172.16.x.x - 172.31.x.x • 192.168.x.x • 10.x.x.x
2. If the IP address detected is within the safe range listed above, open the main program window of your ESET Windows product. Skip to step 4.
3. If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by the firewall is located on a public network and could be a threat to your system. See the ESET DNS-Flush tool section and use it to repair any files that may have been damaged by DNS cache poisoning.
4. Press the F5 key on your keyboard to access Advanced setup.
5. Expand Network Protection, click Firewall, expand Advanced and then click Edit next to Zones. Version 8.x: Expand Network → Personal firewall and then click Rules and zones. In the Zone and rule editor pane.
Click Setup.
- In the Firewall zones window, select Addresses excluded from IDS and click Edit. Version 8.x: Click the Zones tab, select Addresses excluded from active protection (IDS) and then click Edit. Click to view a screenshot. In the Zone setup window, click Add IPv4 address.
- Type the IP address of the device being incorrectly detected as a threat in the Remote computer address (IPv4, IPv6, range, mask) field. If you are running version 8.x: Select Single address, and then enter the IP address of the device being incorrectly detected as a threat.
- Click OK three times to exit Advanced setup and save your changes. You should no longer see any messages about attacks coming from an internal IP address that you know to be safe. If you continue to experience this issue, proceed to solution 2 below. Version 8.x: Click OK four times to exit the Advanced setup tree and save your changes.
Carbon Black
From the Investigate Page
- Search for Events tied to desired application or hash
- Select the desired Event to expand Event details
- Click desired App tab (Parent App, Selected App, Target App)
- Signed By field reflects Signer of file, CA reflects Certificate Authority
- Click on Add button to right of Signed By to add the Cert (Signer+CA) to Approved List
From the Reputation Page
- Locate Signer and Certificate Authority (CA) for desired file (can be done via Enriched Event data or directly on endpoint)
- Log into Carbon Black Cloud Console
- Go to Enforce > Reputation
- Click on the +Add button
- In the modal/pop-up, select Type: Certs
- Enter Signer in "Signed By" field (required) Signed By: Google Inc
- Enter CA in Certificate Authority field (not currently required)CA: VeriSign Class 3 Code Signing 2010 CA
- Add details to Comment field as desired
- Click Save to finish adding Cert to Approved List
Microsoft Windows Defender (local)
- Go to Start > Settings > Update & Security > Windows Security > Virus & threat protection.
- Under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions.
- Select Add an exclusion, and then select from files, folders, file types, or process. A folder exclusion will apply to all subfolders within the folder as well.
Please note: Currently, there is no method to whitelist the Blockbox Virtual Appliance in Microsoft Defender 365. However, we are working diligently to resolve this issue. Meanwhile, refer here for insights into the causation of these alerts and steps to suppress them.
Sophos Intercept X Advanced with EDR
Method 1: Using Global Exclusion
- In Global Setting from the menu on the left side of the screen, go to the section General and click Global Exclusion
- Click to Add Exclusion
- In the pop-up window use the following values and click Add button.
Exclusion Type: File or folder (Windows)
Value: Block 64 Application installation folder which usually is: “C:\Program Files (x86)\Block 64 Corporation”. This value can be different if Block 64 Application‘s default path is changed.
Active for: Real-time and scheduled
- Click Save
Method 2: Adding an Application Control Policy
Application control lets you detect and block applications that are not a security threat, but that you decide are unsuitable for use in the office.
Note: If an option is locked global settings have been applied by your partner or Enterprise administrator.
- From the Endpoint Protection screen, go to Policies and click on Add Policy button
- From the pop-up window select the feature Application Control and for type select Device (policies are assigned to device regardless of the logged-on user) and click Continue
- Name the policy Block64 Policy and from the Available Computers list select the server where Block 64 tool is installed in and click the right pointing arrow to add it to the Assigned Computers list
- From the Settings menu, click on Add/Edit List
- From the Add/Edit Application List select the following applications and click the Save to List button.
- Under the section Detection Options, select the option Detect controlled applications during scheduled and on-demand scans and save the policy
- Be sure that Block 64 policy is at the top
SentinelOne Endpoint Protection
- In the SentinelOne console, click settings on the left.
- Click exclusions at the top.
- Add the path to the exclusion list by clicking on QA exclusions and then path.
- Select an OS.
- Enter the path name.
- Add description of the exclusion.
- Choose which list to put the exclusion in.
Symantec Advanced Threat Protection
Create Whitelist policies for files so that ATP explicitly allows access to them regardless of their reputation. When you whitelist an item, ATP considers it "trusted" and takes no action on it. For example, if you whitelist a file, ATP does not inspect that file nor does it request a reputation score for it. Whitelisting trusted files can conserve scanning resources and reduce the number of events that ATP creates. It can also eliminate false negatives.
You create a Whitelist policy for a file based on its SHA256 hash value.ATP allows access to whitelisted files on any external computer.
You must have the Admin role or Controller role to create Whitelist policies.
To create a Whitelist policy
- In ATP Manager, click Policies > Whitelist.
- Click the plus sign and select Add to Whitelist.
- In the Add to Whitelist dialog box add the SHA256 hash for the file. The SHA256 hash value must be 64 characters with values ranging between 0 - 9 and a - f..
- In the Match Value field, type the value of the whitelisted item. The Match Value appears in the Whitelist policy list as the Rule Value.
- Optionally, type a comment in the Comment field. For example, you may want to specify the file name for SHA256 hash.
- Click Save.
Palo Alto Cortex XDR
- Add a new profile.
- From Cortex XDR, select Endpoints Policy ManagementProfiles+ New Profile.
- Select the platform to which the profile applies and Exceptions as the profile type.
- Click Next.
- Define the basic settings.
- Enter a unique Profile Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
- To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile Description. For example, you might include an incident identification number or a link to a help desk ticket.
- Configure the exceptions profile.
To configure a Process Exception:
- Select the operating system.
- Enter the name of the process.
- Select one or more Endpoint Protection Modules that will allow this process to run. The modules displayed on the list are the modules relevant to the operating system defined for this profile. To apply the process exception on all security modules, Select all. To apply the process exception on all exploit security modules, select Disable Injection.
- Click the adjacent arrow.
- After you’ve added all processes, click Create.
You can return to the Process Exception profile from the Endpoints Profile page at any point and edit the settings, for example if you want to add or remove more security modules.
To configure a Support Exception:
Import the json file you received from Palo Alto Networks support team by either browsing for it in your files or by dragging and dropping the file on the page.
Click Create.
To configure module specific exceptions relevant for the selected profile platform:
-
- Behavioral Threat Protection Rule Exception—When you view an alert for a Behavioral Threat event which you want to allow in your network from now on, right-click the alert and Create alert exception. Cortex XDR displays the alert data (Platform and Rule name). Select Exception Scope: Profile and select the exception profile name. Click Add.
- Local Analysis Rules Exception—When you view an alert for a Local Analysis event triggered by rules which you want to allow in your network from now on, right-click the alert and Create alert exception. Cortex XDR displays the alert data (Platform and Rule names). Select Exception Scope: Profile and select the exception profile name. The exception allows all the rules that triggered the alert, and you cannot choose to allow only specific rules within the alert. Click Add.
- Digital Signer Exception—When you view an alert for a Digital Signer Restriction which you want to allow in your network from now on, right-click the alert and Create alert exception. Cortex XDR displays the alert data (Platform, Signer, and Generating Alert ID). Select Exception Scope: Profile and select the exception profile name. Click Add.
- Java Deserialization Exception—When you identify a Suspicious Input Deserialization alert that you believe to be benign and want to suppress future alerts, right-click the alert and Create alert exception. Cortex XDR displays the alert data (Platform, Process, Java executable, and Generating Alert ID). Select Exception Scope: Profile and select the exception profile name. Click Add.
- Local File Threat Examination Exception—When you view an alert for a PHP file that you want to allow in your network from now on, right-click the alert and Create an alert exception. Cortex XDR displays the alert data (Process, Path, and Hash). Select Exception Scope: Profile and select the exception profile name. Click Add
Cisco Amp for Endpoints
Click the Custom Exclusions button to view or edit the exclusion sets created by your organization or to
create new ones.
Each row displays the operating system, exclusion set name, the number of exclusions,
the number of groups using the exclusion set, and the number of computers using the exclusion set.
You can use the search bar to find exclusion sets by name, path, extension, threat name, or SHA-256. You
can also filter the list by operating system by clicking on the respective tabs.
Click View All Changes to see a filtered list of the Audit Log showing all exclusion set changes.
To create a custom exclusion set, click New Exclusion Set. This will display a dialog from which you can
select whether the exclusions will be for AMP for Endpoints Windows, AMP for Endpoints Mac, or AMP
for Endpoints Linux Connectors.
Click Create. The new exclusion set is pre-filled with default exclusions.
Enter the name for the new exclusion set in the provided field.
Select the exclusion type you would like to add by clicking the empty drop-down menu. (See Exclusion Types)
After selecting the exclusion type, enter the path, threat name, file extension, process, or wild cards for file names, extensions, or paths.
Click Add Exclusion if you want to add more exclusions to the set, or if you are finished, click Save.
Click Revert Changes any time you want to revert to the last saved version of the exclusion set.
You can also quickly add multiple exclusions at a time by clicking Add Multiple Exclusions... You can then enter or
paste a list of exclusions into the following dialog, then click Add Exclusions when you are done.
Exclusion types will be automatically detected when possible and added to the exclusion set. Any
exclusions that aren’t detected will be added to the set with a blank exclusion type. For these, you must
manually select the exclusion type from the drop-down menu.
Secondary exclusion information:
Create and manage exclusions within AMP for Endpoints is necessary to ensure minimal performance
impact and proper application compatibility. AMP for Endpoints provides many exclusions maintained
by Cisco to assist organizations in getting set up rapidly. However, in most instances, at least some
custom exclusions are needed. To properly identify needed custom exclusions, it is necessary to obtain
debug diagnostic data while the endpoint is under normal operational load. These diagnostic files are
then parsed by the Tuning Tool, resulting in file frequency data. Additional resources for exclusions can
be found in vendor documentation for existing endpoint security products and other popular software.
For information on how to obtain diagnostic files and Tuning Tool usage please see Identifying New
Exclusions in the Alpha Deployment section of this document
McAfee Endpoint Security – 10.7.0
- On the McAfee ePO console, select Menu → Application Control → Policy Discovery to open the
Policy Discovery page. - Click a row to review request details in the Request Details page. Each row in the Enterprise
level activity pane represents an executable file and endpoint combination. - Click Allow Locally for a row. The Allow Locally dialog box lists one or more paths to add to the
whitelist. NOTE: The Allow Locally action is available only for requests that are generated when
you execute an application that isn't in the whitelist (Application Execution activity). -
Review and customize the listed paths. For example, if you execute proc.exe for an endpoint,
these paths might be listed.
• C:\Program Files\<App Name>\proc.exe
• C:\Program Files\<App Name>\a.dll
• C:\Program Files\<App Name>\b.dll
• To avoid redundancy, add only the C:\Program Files\App Name path. - Click OK.
Malwarebytes
- Create a new policy by navigating to Settings > Policies.
- Click New
- Name the policy and click Save
- Navigate to Protection Settings and uncheck the option titled Behaviour protection
- Create a group for the Block 64 Host Machine by navigating to Settings > Groups
- Select New
- Name the group and select the policy created in Step 3.
- Click Save
- Add the Block 64 Host machine to the group created in Step 8 by Selecting Endpoints, select the Block 64 Server and select Action and select Move.
- Select the policy created in step 3.
- Click Save
- Navigate to Settings > Exclusions and click New
- Enable the exclusion and enter the following values then click Save
-
- Exclusion Type: File by path
- Value: C:\Program Files (x86)\Block 64 Corporation\
- Apply exclusions across all policies?: No
- Policy: Block 64 Policy
- Exclusions Applied To: Malware Protection - Ransomeware Protection
- Comment: Block 64 Exclusion Rule
-
Crowdstrike Exclusions
- Go to Groups and create a new group selecting the Add New Group
- Name the new Group Block64, select Static by hostname as Group type and click Add Group button
- Click the edit button
- Click the Add Hosts button
- Select the Block64 server and click Add
- Click the Add Host button
- Go to Prevention Policies and click the button Create a New Policy
- Name the policy Block64 and click the Create Policy button
- Click on Save button without doing any change. After that click the Enable button
- Go to the Assigned Host Groups tab and click on Add Groups to Policy option
- Select the Block64 group and click the Add Groups to Policy button
- Move the Block64 policy to precedence 1
- Go to Exclusions, on the Machine Learning Exclusions create a new exclusion
- Select the option Groups of Host, add the group Block64 and click Next
- Select the option Detections and Preventions. In the Exclusion Pattern field add the below text and click Create Exclusion
Program Files (x86)\Block 64 Corporation\Block 64 Discovery\**
In case Crowdstrike firewall is being used on target machines instead of the Windows local firewall, follow the next steps:
- Go to Firewall Rule Groups and click Create Rule Group
- Name the rule group Block64 Firewall Rules Group and click Next
- Select the option Empty rule group and click Create Rule
- Click the Add Rule button
- Add the firewall rules to open Block 64 required inbound ports according the documentation in the following link: https://block64.zendesk.com/hc/en-us/articles/10899269915927-What-ports-does-the-BlockBox-Virtual-Appliance-leverage-
The fields to be used to create the rules are:
- Name: Name of the rule
- Traffic direction: All traffic will be inbound
- Action to take: Allow
- Protocol: UDP or TCP according to the correspondent port
- Local port: The port that will be opened by the rule
- Remote IP: IP from the Block 64 server
- Network Profile: Domain
The rules with the main required ports should look like the image below.
All rules must be enabled by selecting each of the rules and clicking the button Enable
- Click the Enable Group button and then the Save button
- Go to the Firewall Policies tab and click the Go to Policies button
- In the Windows Policies tab click the Create New Policy button
- Name the policy Block64 Firewall Policy and click the Next button
- Select Empty Policy and click the Create Policy button
- Select the Enforce policy and Local logging options and click Save
- On the Assigned Host Groups, click the Add Groups to Policy button
- Assign the policy to Block 64 target machines and click the Add Groups to Policy button
- Go to the Assigned Rule Groups and click the Assign Rule Groups
- Select the Block64 Firewall Rules Group and click the Assign to Policy button
- Go to the Settings tab and click the Enable button
CylancePROTECT - Adding Application Exclusions
1. Log in to the Cylance Console with your administrator credentials.
2. Navigate to Settings > Policies.
3. Select the relevant policy and go to Application Control.
4. Click on Add under the Application Control Exclusions.
5. Enter the path of the application to exclude (e.g., C:\Program Files\Application\app.exe) and click Save.
6. For Memory Violations, navigate to Memory Protection and add a memory exclusion.
7. Ensure the updated policy is deployed to relevant devices.