Managing the list of scan exclusions

Users with the Senior security officer role can create, import and export the list of scan exclusions, that is, the list of data that Kaspersky Anti Targeted Attack Platform treats as safe and does not display in the alerts table. You can create scan exclusion rules for the following data:

• MD5
• Format
• URL mask
• Email recipient
• Email sender
• Source IP or subnet
• Destination IP or subnet
• User Agent

Users with the Security auditor and Security officer roles can view the list of scan exclusion rules, as well as export it.

Viewing the table of data excluded from the scan

To view the table with data excluded from the scan:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.

This opens the table with a list of data that Kaspersky Anti Targeted Attack Platform will treat as safe and will not create alerts for. You can filter the rules by clicking links in column headers.

The table contains the following information:

• Criteria—Criterion for adding an entry to the list of allowed objects.
• Value—Value of the criterion.

Adding a scan exclusion rule

To add to scan exclusions:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.
3. In the upper-right corner of the program web interface window, click Add.

   This opens the New rule window.

4. In the Criteria drop-down list, select one of the following criteria for adding a rule to the list of scan exclusions:
   • MD5
   • Format
   • URL mask
   • Email recipient
   • Email sender
   • Source IP or subnet
   • Destination IP or subnet
   • User Agent
5. If you selected Format, select the file format that you want to add from the Value drop-down list.

   For example, you can select the MSOfficeDoc format.

6. If you selected MD5, URL mask, Email recipient, Email sender, Source IP or subnet, Destination IP or subnet, or User Agent, in the Value field, enter the value of the relevant criterion that you want to add to the list of scan exclusions:
   • If you selected MD5, enter the MD5 hash of the file in the Value field.
   • If you selected URL mask, enter the URL mask in the Value field.

     You can use the following special characters in the mask:

     * – any sequence of characters.

     Example: If you enter *abc* as the mask, the program considers as safe any URL that contains the sequence abc. For example, www.example.com/download_virusabc

     ? – any single character.

     Example: If you enter example_123?.com as the mask, the program considers as safe any URL that contains the given character sequence and any character following 3. For example, example_1234.com

     If the * or ? characters are part of the full URL that you want to add to the list of scan exclusions, use the \ character when entering the URL to escape a single *, ?, or \ character that follows it.

     Example: You need to add the following URL as a trusted address: www.example.com/download_virus/virus.dll?virus_name= You do not want the program to treat ? as a special mask character so you put a \ character before the ? character. The URL added to the list of scan exclusions looks as follows: www.example.com/download_virus/virus.dll\?virus_name=

   • If you selected Email recipient or Email sender, enter the email address in the Value field.
   • If you selected User Agent, enter the User agent header of HTTP requests containing browser information in the Value field.
   • If you selected Source IP or subnet or Destination IP or subnet, enter the address or subnet (for example, 255.255.255.0) in the Value field.

   In the URL mask, Email recipient, and Email sender field, you can enter domain names containing Cyrillic characters. In this case, the address is converted to Punycode and processed in accordance with program settings.

7. Click Add.

The rule is added to the scan exclusion list.

Users with the Security auditor and Security officer roles cannot add a scan exclusion rule.

Deleting a scan exclusion rule

To remove one or multiple rules from scan exclusions:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.
3. Select the check box to the left of each rule that you want to remove from the list of scan exclusions.

   If you want to delete all rules, select the check box above the list.

4. In the lower part of the window, click Delete.

   The action confirmation window is displayed.

5. Click Yes.

The selected rules are removed from the list of scan exclusions.

Users with the Security auditor and Security officer roles cannot remove entries from the list of scan exclusions.

Editing a rule added to scan exclusions

To edit a rule in the scan exclusion list:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.
3. Select the rule that you want to modify.

   This opens the Edit rule window.

4. Make the necessary changes to the Criteria and Value fields.
5. Click Save.

The rule is modified.

Users with the Security auditor and Security officer roles cannot edit rules in the list of scan exclusions.

Exporting the list of data excluded from the scan

To export the scan exclusion list:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.
3. In the upper-right corner of the program web interface window, click the Export button.

The JSON file containing the exported list of scan exclusions is saved in the browser's downloads folder on your computer.

Filtering rules in the scan exclusion list by criterion

To filter scan exclusion list entries by rule type:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.
3. Click the Criteria link to open the filter configuration window.
4. Select one or more check boxes next to criteria by which you want to filter the rules:
   • MD5
   • Format
   • URL mask
   • Email recipient
   • Email sender
   • Source IP or subnet
   • Destination IP or subnet
   • User Agent
5. Click Apply.

The filter configuration window closes.

The list of scan exclusions displays only those rules that match your criteria.

You can use multiple filters at the same time.

Searching rules in the scan exclusion list by value

To search rules in the scan exclusion list by value:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.
3. Click the Value link to open the filter configuration window.
4. Enter value characters.
5. Click Apply.

The list of scan exclusions displays only those rules that match your criteria.

You can use multiple filters at the same time.

Resetting the rule filter in the scan exclusion list

To clear an exclusion list record filter by one or more filtering criteria:

1. In the main window of the program web interface, select the Settings section, Exclusions subsection.
2. Go to the Scan exclusions tab.
3. Click to the right of the header of the column in the table of scan exclusion list entries for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The list of scan exclusions displays only those rules that match your criteria.