All I see is a list of MD5 hashes and unless I drill down I cannot see the file name. If I look at my global overrides, there are about 900 entries of files that I have labelled as good. A large number of these were probably considered unknown in the cloud when I added them. Presumably, some of them have become "known good" since then.
It seems like I should be able to look at the list of file namess and what their current cloud status. Then I could remove unneccessary override from my whitelist. Better yet, maybe pruning of the override list could be automatic.
It also seems confusing that override can be global or attached to a site or policy. Many things I whitelist are at the global level, but it does not seem that I can tell if there are policy-level overrides for the same file.
Am I missing something that would allow me to effectively manage these lists?
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
We don't have a good management system for that many overrides because our software isn't really designed to require that many overrides put in.
You've got a couple of options at this point:
1. Contact support and they can pull some logs and see what still needs to be overridden or not, and then you can pull out all the overrides you don't need anymore. Honestly they should also be able to whitelist things centrally to the point where you don't need any
2. Nuke them all and then see if anything breaks and then override just that software. Again support can help you by whitelisting things in our database.
Hope that helps!
The site overrides show you more info and allow you to export to excel. You can select and delte multiple overrides at one time, but you cannot delete the global overrides on this page, even though you can see them.
We apologize that the feature is not preferable to you.
You can leave the software undetermined if you like and then run an undetermined report but we generally advise against it as the report will pull in everything. Its better to build exclusions off local reports to see what is being monitored on a specific endpoint.
If this is causing software not to work properly it would be advisable to reach out to support for further assistance.
Thanks for letting us know! :D