SEP Create Exception Policy
As an SEP admin sometimes you need exclude some legit applications from your environment. Server owners can demand MSSQL or Cisco Jabber exception for their server. In this case you can use this guide for give exception.
In this article i am going to write File, Folder and Hash exception.
SEPManager and SEP Client version : 14.3 Ru8 Build 10148
Test file : Mimikatz.exe
We will Start with display block log mimikatz.exe from Sep Client without any exception rule. We downloaded mimikatz.exe inside of compressed file. After that we will unzip that file.
As we see at the screenshot Sep Client can successfully block mimikatz.exe and other dependencies.
Folder Exception
We will create Test1 folder inside of download folder and give exception for this folder.
We will choose Add -> Windows Exceptions -> Folder and we can start write first exception rule for our application.
In this screen we can specified Prefix Variable like “Program Files”. We will leave NONE for this field.
Important Note: If you add wildcard like “ * ” or “ ? ” you can not choose exclude option “All”. Because of this if SONAR detect any malicious activity on your file you can not execute file.
Without wildcard you can execute all file and all dependencies files inside of Test1 folder.
There is no block for inside of this folder files.
File Exception
We will give exception for this file using Exception field from SEPManager.
We will choose Add -> Windows Exceptions -> File and we can write file exception rule for our application.
At the file field we will describe our file name with path. Without path your exception rule will not work for this application. We will exception from Application Control, Security Risk and Sonar. After that we will specify exception for what kind of scan. After that we can leave from this page with click OK.
After write rule we will check our application for execute. In this case we will unzip our Mimikatz.zip file at our specified path from exception rule.
After that exception rule we can reach our mimikatz.exe . Most dependencies deleted from Sep but our x64 mimikatz.exe is staying at our file location.
Hash Exception
We will choose Add -> Windows Exceptions -> File and we can write Hash exception rule for our application.
Use certutil.exe for sha256 hash value of mimikatz.exe .
After that we will add that Sha-256 hash in our rule.
We do not need specified file location for this exception. We can execute our application on where ever we want.
We executed our application with successfully.
Thank you for your support. If you follow my profile, I will be more motivated to write such articles.
orhanoztasbir.medium.com
