As I have been living in the SEC for a few years, I have noticed that some processes are time-consuming, and there may be easy ways to improve them.
Here's an example of when I want to add some piece of detected adware/pua to be "allowed" and no longer alerted/reported.
Current Process:
- See the Adware / PUA in the Computers with Alerts view.
- Right click computer > Resolve Alerts and Errors
- Manually note the name of the thing, e.g. NirPassView
- Close the Resolve Alerts and Errors page
- Find the computer in the groups (which I've hopefully already noted)
- Figure out which policy applies -- Right click group > View/Edit Group Policy Details, e.g. IT Policy
- Right click the IT Policy in Anti-virus and HIPS > View/Edit Policy
- Click Authorization.
- Under Adware and PUAs, scroll through list to find item(s).
- Select them, and click “add”
- "OK" my way out of the policy.
- Agree to update the policy on the groups to which it applies.
Better Process:
- See the Adware / PUA in the Computers with Alerts view
- Right click > Resolve Alerts and Errors
- Select Item
- At the bottom of the window, select “Add to Exemptions” button.
- A new sub-menu appears.
- I can select (checkbox) multiple policies to which you can add this exempt item(s)
- The policy that applies to THIS computer is already checked and highlighted. The others are unchecked by default.
- After clicking the checkboxes, click “Apply” at the bottom of the list.
- Interface asks “apply policy now” or “apply policy later”
- Clicking “apply policy now” gives you the normal prompt about all of the groups which will be updated.
- Clicking “apply policy later” simply returns you to the screen and does not push out the policy yet (because you may want to do this process several times and not push out a new policy several times)
That's my $0.02, and maybe some other people have ideas on how to improve the efficiency of working in the console, too.
Thank you.
This thread was automatically locked due to age.