Skip to main content

Apply and view whitelist policy to server

After you create an application whitelist policy, you can apply it to a server that requires special protection . Then, Cloud scans for suspicious or malicious programs on the server and generates alerts for the programs that are not in the application whitelist.

Operation Steps

  1. In the product management page, choose "Threat Detection Service". fg-dc-tds-2.5.2-1

  2. In the left-side navigation pane, click "Application Whitelists". fg-dc-tds-2.5.2-2

  3. On the "Application Whitelist" page, click the Server tab then click Add server. fg-dc-tds-2.5.2-3

  4. On the Add Server panel. fg-dc-tds-2.5.2-4

Configure the following parameters:

  • Whitelist Policy: Select the created application whitelist policy from the drop-down list.
  • Event Handling: The default value is Alert, which indicates that Cloudgenerates an alert when a suspicious program is detected . If a program that is not in the application whitelist starts, Cloud automatically generates an alert. You can click the number in the Suspicious Events column to go to the Alerts tab of the server details page and view the alert details.
  • Servers: Select the server to which you want to apply the application whitelist policy. You can select multiple servers . To search for a server, enter the server name in the Servers search box and click the search icon. Fuzzy match is supported.
  1. Click OK. The application whitelist policy is applied to the selected servers.
  2. View the protected servers and the name of the application whitelist policy in the server list on the Servers tab. fg-dc-tds-2.5.2-5

TheServers tab displays the following information of a protected server:

  • Server Name/IP: the name and IP address of the server to which the application whitelist policy is applied.
  • Whitelist Policy: the name of the application whitelist policy that is applied to the server.
  • Suspicious Events: the number of programs that are not in the application whitelist and havestarted. If a suspicious program starts on the server, Cloud detects the program and generates an alert.
  • Event Handling: The default value is Alert, which indicates that Cloud generates an alert when a suspicious program is detected . If a program that is not in the application whitelist starts, Cloud automatically generates an alert. You can click the number in the Suspicious Events column to go to the Alerts tab of the server details page and view the alert details.
  • Actions: After you click Delete in the Actions column, the server is removed from the application whitelist policy . After you click Delete in the Actions column, the application whitelist policy becomes invalid for the server. In this case, if a program that is added to the application whitelist stars on thisserver, Cloud generates an alert.

  1. Click a policy name in the Whitelist Policy column to view the programs running on the server. fg-dc-tds-2.5.2-6

  2. View the numbers of trusted, suspicious, and malicious programs and their detailed information on right panel. fg-dc-tds-2.5.2-7

The following information about each program on the server is displayed:

  • Type: the type of the program. Programs are classified into trusted, suspicious, and maliciousprograms.

  • Process Name: the name of the program.

  • Hash: the hash function of the program. A hash function is used to identify whether a program is unique. This helps protect servers against malicious programs.

  • Path: the file path of the program on the server.

  • Degree of Trustability : the degree of trust ability for the program. The value of this parameter is determined by Cloud. Valid values: 0%, 60%, and 100%. The value 0% indicatesmalicious programs, 60% indicates suspicious programs, and 100% indicates trusted programs. fg-dc-tds-2.5.2-8

  • Actions: the operations that can be performed on the program. You can determine whether to add the program to the whitelist based on the services deployed on your server. You can perform the following operations:

    • Add to Whitelist : If you trust the program, add it to the whitelist.
    • Remove from Whitelist : After you remove the program from the whitelist, Cloud identifies the program as untrusted. If this program starts, Cloud generates analert.