Create Whitelist policies for files and external computers so that Symantec Advanced Threat Protection (ATP) explicitly allows access to them regardless of their reputation. When you whitelist an item, ATP considers it "trusted" and takes no action on it. For example, if you whitelist a file, ATP does not inspect that file nor does it request a reputation score for it. Whitelisting trusted files and external computers can conserve scanning resources and reduce the number of events that ATP creates. It can also eliminate false negatives.

Create a Whitelist policy to do any of the following:

Allow explicit access to an external computer:

When you whitelist an external computer, ATP considers it trustworthy. ATP does not inspect traffic to or from the external computer (even if it's blacklisted). You can whitelist an external computer based on its IP address or subnet, domain, or URL.

ATP permits access to whitelisted computers in the following ways:

  • IP address and IP subnet

    If you whitelist an IP address, ATP bypasses all traffic inspection to and from that IP address. However, it continues to inspect the traffic that is associated with other IP addresses on the same subnet of that IP address.

  • Domain

    If you whitelist a domain, ATP allows access to any sub-domains and URLs associated with that domain.

  • URL

    If you whitelist a URL, ATP allows access to any sub-pages (including files) associated with that URL.

Allow explicit access to a file:

You create a Whitelist policy for a file based on its SHA256 hash value or URL. If you whitelist a file based on its SHA256 hash value, ATP allows access to it on any external computer. If you whitelist a file based on its URL, ATP allows explicit access to it on that site only.

When you whitelist a file, ATP considers it trustworthy regardless of its identity as a known threat or its reputation. When an endpoint accesses a whitelisted file, ATP takes no action against it. For example, if Symantec Endpoint Protection is configured to use your ATP proxy, ATP does not block the file (even if it's blacklisted). If Symantec Endpoint Protection is not configured to use your ATP proxy, ATP does not generate a detection event.

See Importing policies and exporting policies in bulk.

You must have the Admin role or Controller role to create Whitelist policies.

To create a Whitelist policy

  1. In ATP Manager, click Policies > Whitelist.

  2. Click the plus sign and select Add to Whitelist.

  3. In the Add to Whitelist dialog box, click the Type drop-down list and select one of the following:

    • IP

    • Domain

    • URL

    • SHA256

      The SHA256 hash value must be 64 characters with values ranging between 0 - 9 and a - f.

    Note:

    You cannot edit the Type or Match Value of a whitelisted item after you add it. However, you can delete it or edit the comment.

    See Managing policies.

  4. In the Match Value field, type the value of the whitelisted item based on the type that you selected.

    ATP validates the value based on its type. The Match Value appears in the Whitelist policy list as the Rule Value.

    See Supported policy match values for IP addresses, domains, and URLs.

  5. Optionally, type a comment in the Comment field.

    For example, you may want to specify the file name for SHA256 hash.

  6. Click Save.

Legacy ID: v97220779_v127312507

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.