Create Whitelist policies for files and external computers so that Symantec Advanced Threat Protection (ATP) explicitly allows access to them regardless of their reputation. When you whitelist an item, ATP considers it "trusted" and takes no action on it. For example, if you whitelist a file, ATP does not inspect that file nor does it request a reputation score for it. Whitelisting trusted files and external computers can conserve scanning resources and reduce the number of events that ATP creates. It can also eliminate false negatives.
Create a Whitelist policy to do any of the following:
Allow explicit access to an external computer:
When you whitelist an external computer, ATP considers it trustworthy. ATP does not inspect traffic to or from the external computer (even if it's blacklisted). You can whitelist an external computer based on its IP address or subnet, domain, or URL.
ATP permits access to whitelisted computers in the following ways:
IP address and IP subnet
If you whitelist an IP address, ATP bypasses all traffic inspection to and from that IP address. However, it continues to inspect the traffic that is associated with other IP addresses on the same subnet of that IP address.
If you whitelist a domain, ATP allows access to any sub-domains and URLs associated with that domain.
If you whitelist a URL, ATP allows access to any sub-pages (including files) associated with that URL.
Allow explicit access to a file:
You create a Whitelist policy for a file based on its SHA256 hash value or URL. If you whitelist a file based on its SHA256 hash value, ATP allows access to it on any external computer. If you whitelist a file based on its URL, ATP allows explicit access to it on that site only.
When you whitelist a file, ATP considers it trustworthy regardless of its identity as a known threat or its reputation. When an endpoint accesses a whitelisted file, ATP takes no action against it. For example, if Symantec Endpoint Protection is configured to use your ATP proxy, ATP does not block the file (even if it's blacklisted). If Symantec Endpoint Protection is not configured to use your ATP proxy, ATP does not generate a detection event.