If suspicious processes attempt to make unauthorized file changes, the tamper protection feature helps you detect these changes and block the processes in real time. If the blocked process is required in your workloads, you can add the process to a whitelist of tamper protection to enable it.This topic describes how to add a process blocked by the tamper protection feature to the whitelist.

Background information

You can add multiple processes to a whitelist.
Note The whitelist feature is available for both Windows and Linux servers.

Procedure

  1. Log on to the Security center console.
  2. In the left-side navigation pane, click Defense > Tamper Protection.
  3. In the list of alerts on the Protection page, find or search for the file change alert that you want to manage, and copy the process path and the name and IP address of the affected asset.
  4. You can use either of the following methods to add the process to the whitelist:
    Warning Attackers may exploit the processes in the whitelist to intrude into your servers. Proceed with caution when you add a process to the whitelist.
    • Manage the whitelist on the alert list on the Protection page.

      On the alert list, find the process that you want to add to the whitelist and click Add to Whitelist in the Actions column for the process.

      A process may run on multiple servers or in multiple directories on the same server. If you want to add this process to the whitelist, select Process servers with the same process at the same time.Add multiple processes to the whitelist at a time

      After you add a process to the whitelist, the process status becomes Added. To remove the process from the whitelist, click Cancel whitelist in the Actions column for the process. You can remove multiple processes from the whitelist at a time.

    • Manage the whitelist on the Process Management page.
      1. Click the number under Whitelist in the protection status statistics module to expand the Process Management page.
        This number indicates the number of processes added to the whitelist. These processes may run on different servers. As a result, one process may have multiple whitelist entries.Click the number under Whitelist
      2. Click Enter the whitelist in the upper-left corner of the Process Management page.Add to a whitelist

        The Process Management page contains the Blocking Process list and the Whitelist list.

        Process management
        • The Blocking Process list shows all the suspicious processes blocked by the tamper protection feature.
        • The Whitelist page shows all the processes that are added to the whitelist.
      3. In the Enter the process whitelist dialog box, enter the path of the process and the name and IP address of the server on which the process runs, and then click OK.Add processes to the whitelist

        After you add a process to the whitelist, you can view the process on the Process Management page. The status of the process is Whitelist. On the Process Management page, find the process and click Cancel whitelist in the Actions column for the process.

What to do next

On the Process Management page, you can view the information about all processes added to the whitelist in Whitelist, including the servers on which the process is running, the paths where the processes are located, and the number of file writing attempts.