You can create Whitelist policies for files and external computers so that Symantec Advanced Threat Protection (ATP) explicitly allows access to them regardless of their reputation. When you whitelist an item, ATP considers it "trusted" and takes no action on it. For example, if you whitelist a file, ATP does not inspect that file nor does it request a reputation score for it. Whitelisting trusted files and external computers can conserve scanning resources and reduce the number of events that ATP creates. It can also eliminate false negatives.
Create a Whitelist policy to do any of the following:
Allow explicit access to an external computer
When you whitelist an external computer, ATP considers it trustworthy and does not inspect traffic to or from it from your endpoints (even if it's blacklisted). You can whitelist an external computer based on its IP address or subnet, domain, or URL.
ATP permits access to whitelisted computers in the following ways:
IP address and IP subnet
If you whitelist an IP address, ATP bypasses all traffic inspection to and from that IP address. However, it continues to inspect the traffic that is associated with other IP addresses on the same subnet of that IP address.
If you whitelist a domain, ATP allows access to any sub-domains and URLs associated with that domain.
If you whitelist a URL, ATP allows access to any sub-pages (including files) associated with that URL.
Allow explicit access to a file
You create a Whitelist policy for a file based on its SHA256 hash value or URL. If you whitelist a file based on its SHA256 hash value, ATP allows access to it on any external computer. If you whitelist a file based on its URL, ATP allows explicit access to it on that site only.
When you whitelist a file, ATP considers it trustworthy regardless of its identity as a known threat or its reputation. When an endpoint accesses a whitelisted file, ATP takes no action against it. For example, if Symantec Endpoint Protection is configured to use your ATP proxy, ATP does not block the file (even if it's blacklisted). If Symantec Endpoint Protection is not configured to use your ATP proxy, ATP does not generate a detection event.
You must have the Admin role or Controller role to create Whitelist policies.
To create a Whitelist policy
In ATP Manager, click Policies > Whitelist > + Add to Whitelist.
Click the plus sign and select Add to Whitelist.
In the Add to Whitelist dialog box, click the Type drop-down list and select one of the following:
The SHA256 hash value must be 64 characters with values ranging between 0 - 9 and a - f.
You cannot edit the Type or Match Value of a whitelisted item after you add it. However, you can delete it or edit the comment.