I'm looking for a way to exclude a specific application (or a port) from an alarm or from the security event itself. The reason is the "Windows Update Delivery" function causing Addr_Scan events resulting in Recon alarms.
I would like to discard these events by excluding the defined application or the specific port (7680/tcp). As far as I know, there is no way to do so - maybe there is a possibility in the newer versions? (currently still on 7.0.3)
Thank you for the answer - we are already planning the upgradefor this version, I will give feedback once we are done. I guess you are referring to the sub conditions mentioned in the 7.3 release notes regarding rules (page 11)?
Hi, in version 7.3.0 in the SMC GUI go to Configure / Services, and click Add New, give it a Name (e.g. WUDO) and ports: 7680/tcp, and make sure to check the option "Exclude this service from the Worm Detection algorithm (Exclude Worm)".
Regards,
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
