Managing Anti-Malware Exceptions

This article explains how to list files and create rules that bypass Anti-Malware inspection engines (for Anti-Malware and Next Gen Anti-Malware) and how to block a file from running.

Overview

Cato’s Anti-Malware engines scan WAN and Internet traffic to block malicious files and protect your network. You can allow specific files or traffic to bypass inspection, making them always accessible to users, or prevent users from accessing specific files. This provides precise control over file access, allowing legitimate business operations while enforcing your security policies.

Based on your requirements, you can manage these exceptions to the Anti-Malware policy using either of these options to define:

  • Protection Policy: Traffic that is either always allowed or blocked

  • File Hash Policy: Files based on their SHA-256 file hash that either bypass Anti-Malware inspection or blocked from running. Files added to the File Hash Policy are also excluded from the App & Data API Protection

  • Bypass List: Define the traffic that bypasses Anti-Malware inspection

Adding a Rule to the Protection Policy

The Protection Policy lets you create rules to define traffic that is either always allowed or blocked by Anti-Malware scans. This lets you create granular rules for either WAN, Internet or all traffic based on the source, traffic type, or verdict.

Rules in the Protection Policy can be disabled or re-enabled as required.

Protection_Policy.png

To add a rule to the Protection Policy:

  1. From the navigation menu, select Security > Anti-Malware.

  2. On the Protection Policy tab, click New.

  3. Choose the Name, Rule Order, and Scope of the rule.

  4. Configure the Scope, What, Verdict, and Action for the rule.

  5. Click Apply, and then click Save.

Adding a File to the File Hash Policy

The File Hash Policy lets you add up to 100 SHA-256 file hashes so that the files either bypass Anti-Malware inspection or are blocked from running. This enables you to block file hashes you have identified as malicious. Files added to the File Hash Policy are also excluded from the App & Data API Protection.

Note: Note: The file containing the File Hash must meet the Anti-Malware File Requirements. For more information, see What is the Cato Anti-Malware Policy?

File_Hash.png

To add a file to the File Hash Policy:

  1. From the navigation menu, select Security > Anti-Malware.

  2. On the File Hash Policy tab, click New.

  3. Choose to add a new rule. (You can also add a new section to manage your rules)

  4. Choose a File Name and enter the SHA-256 File Hash.

  5. Set the Duration and Action.

  6. Click Save.

Adding a Rule to the Bypass List

The Bypass List lets you define the traffic that bypasses Anti-Malware inspection. This lets you create granular rules for either WAN, Internet or all traffic based on the source and traffic type. Rules in the Bypass List are applied to the Anti-Malware engines before the rules in the Anti-Malware Protection Policy. Any traffic that matches a rule in the Allowlist policy will definitely bypass the scans by the Anti-Malware engines.

Rules in the Bypass List can be disabled or re-enabled as required.

Bypass1.png

To add a rule to the Bypass List:

  1. From the navigation menu, select Security > Anti-Malware.

  2. On the Bypass List tab, click New.

  3. Choose the Name, Rule Order, and Scope of the rule.

  4. Configure the Scope and What for the rule.

  5. Click Apply, and then click Save.

Was this article helpful?

1 out of 1 found this helpful

0 comments