Issue:
How to create or add an Elements Endpoint Protection Application Control exclusion rule if an application has been blocked for example by a default rule.
Resolution:
If an application has been blocked by an Application Control rule, you need to first check the block details from the Elements Endpoint Protection portal's Security Events page so that you can create an exclusion based on that information. How to view detection details:
- Log in to the Elements Endpoint Protection portal
- Go to the Security Events page
You can filter the Security Events page to only show Application Control events by adding a "Source equals Application control" filter.
Open the Application Control block details by clicking the blue downwards arrow on the left side of the detection to view all the details. You can copy paste the details to a text editor to use them later when creating the exclusion rule.
Note: If multiple applications are being blocked by the same application control rule, you need to create separate exclusion rules for each application. Do not add for example several condition paths to several applications in one rule.
How to create the Application control exclusion rule:
- Log in to the Elements Endpoint Protection portal
- Go to the Profiles page
- Select the profile which is in use on the devices
- Go to the Application Control settings page
- Click Add a new top rule
- Note: The rules in the table are applied in a priority order: rules are checked from top to bottom. So the exclusion needs to be up top.
- Add the following:
- Rule name, example: Exclusion for application x
- Select the Event type to be the same as shown in the detection
- Select as Action Allow
- Add a condition. You can from the block details you saved to a text editor check what details need to be used. For example: Target path contains C:\Example\Example.exe
- Note: If you add multiple conditions, the conditions are based on the AND principle. All conditions must apply for the rule to take effect. When adding multiple conditions, add each condition one by one an test between each added condition.
- Click Save and publish
Article no: 000014115