Allowing and preventing items to run

Use the panels listed below according to the type of item you want to allow to run.

  • Currently blocked programs being classified: Unblock items in the process of classification.

  • Malware activity: Allow the execution of programs classified as malware.

  • PUP activity: Allow the execution of programs classified as PUPs.

  • Exploit activity: Allow the execution of exploit techniques.

  • Threats detected by the antivirus: Restore, from quarantine, items deleted by Advanced EPDR that matched a signature included in the signature file.

  • Network attacks: Allow traffic classified as dangerous by the Network Attack Protection module.

Unblocking unknown items pending classification

In general, it is not recommended to allow the execution of unclassified items, as this could pose a risk to the integrity of the company data and IT systems.

If users cannot wait for Advanced EPDR to complete the classification of an item to unblock it automatically, the administrator can unblock it manually.

Unblocking an unknown item in the process of classification

To allow the execution of an unknown item in the process of classification:

  • Click Status in the menu at the top of the console. Click Security in the side panel.

  • Click the Currently blocked programs being classified panel and select the item you want to unblock from the list.

  • Click Unblock. A window opens informing you of the risk of unblocking an unknown item, along with a provisional assessment of its risk level.

  • Click Unblock. Advanced EPDR performs the following actions:

    • The item is allowed to run on all managed computers on the IT network.

    • In addition to that, all libraries and binary files used by the program are also allowed to run, except those already known and classified as threats.

    • The item is removed from the Currently blocked programs being classified list.

    • The item is added to the Programs allowed by the administrator list.

    • The item is added to the History of programs allowed by the administrator list.

    • Advanced EPDR continues to analyze the item until it is finally classified.

Allowing the execution of items classified as malware, PUPs, or exploits

In general, it is not recommended to allow the execution of items classified as threats, as this poses a clear risk to the integrity of the company data and IT systems.

If users need to use certain features provided by a program classified as a threat and the administrator considers that the danger posed to the integrity of the managed IT network is low, the administrator can allow the program to run.

Allowing a threat to run

To allow the execution of a program classified as malware, PUP, or exploit:

  • Click Status in the menu at the top of the console. Click Security in the side panel.

  • Click the Malware/PUP/Exploit activity panel and select the threat that you want to allow to run.

  • Click the icon in the Action field. A window opens explaining the action taken by Advanced EPDR.

  • Click the Do not detect again link. Advanced EPDR performs the following actions:

    • The item is allowed to run on all computers managed by the administrator. With exploits, you allow the execution of the specific exploit technique that was used on the specific vulnerable program.

    • In addition to that, all libraries and binary files used by the program are also allowed to run, except those already known and classified as threats.

    • The item is added to the Programs allowed by the administrator list.

    • The item stops generating incidents in the Malware/PUP/Exploit activity panels.

Restoring/Stopping detecting programs classified as viruses

If users need to use certain features provided by a program classified as a threat by the signature file, and the administrator considers that the danger posed to the integrity of the managed IT network is low, the administrator can allow the program to run.

Restore and do not detect a threat again

To restore deleted programs from the quarantine/backup area and not detect them again:

  • Click Status in the menu at the top of the console. Click Security in the side panel.

  • Click the Threats detected by the antivirus panel and select the item that you want to allow to run.

  • Click the icon in the Action field. A window opens explaining the action taken by Advanced EPDR.

  • Click the Restore and do not detect again link. Advanced EPDR performs the following actions:

    • The item is copied from the quarantine/backup area to its original location on the computers on the IT network.

    • The item is allowed to run and will not generate any detections.

    • The program is added to the Programs allowed by the administrator list.

Stopping detecting suspicious network traffic

Do not detect a network attack again

If you believe that the traffic blocked is not dangerous, you can allow this traffic by creating an exclusion for the source IP address and the types of attacks that are not thought to pose a threat.

After the exclusion has been defined, it is applied to all computers managed by Advanced EPDR.

To avoid blocking traffic marked as dangerous by the Network Attack Protection:

  • Select Status in the top menu. Select Security in the side panel.

  • Click the Network Attack Activity panel. Select the type of network attack you want to allow.

  • Click the icon in the Action field. A window opens explaining the action taken by Advanced EPDR.

  • Click the Do not detect again link. The Do not detect again window opens with the source IP address and type of attack in the Network attack field.

  • In Allow this type of network attack only from the following IPs, enter the source IP addresses from which you want to allow inbound traffic of the attack type specified in Network attack. You can enter individual IP addresses separated by commas, or IP address ranges separated by a dash. If you want to allow any IP address to send traffic of the specified attack type, leave the text box empty.

  • Click Do not detect again. Advanced EPDR performs these actions:

    • It allows inbound traffic corresponding to the type of attack specified in the Network attack field to enter the network if the source IP address is on the list.

    • This traffic does not generate detections.

    • The type of attack is included in the Programs allowed by the administrator list list.

Stopping allowing the execution of previously allowed items

To block a previously allowed item again:

  • Select Status in the top menu. Select Security in the side panel.

  • In the Detected items allowed by the administrator list, click the icon to the right of the item that you want to stop allowing to run.

After you click the icon, Advanced EPDR performs these actions:

  • The item is removed from the Detected items allowed by the administrator list.

  • An entry is added to the History of items allowed by the administrator list, with the Action column showing Exclusion removed by the user as its value.

  • The item appears again in the corresponding list:

    • Malware activity

    • PUP activity

    • Exploit activity

    • Threats detected by the antivirus

    • Network attack activity

  • The item reappears in the Threats detected by the antivirus list.

  • The item generates incidents again.

  • If the item is an unknown item in the process of classification, it reappears in the Currently blocked programs being classified list.