Thanks Tim, I do have your First and Second Edition...however I forgot to add an important detail about my post...all the Threat Emulations I am referring to take place on Capsule Cloud (sorry bout that).  I put the exceptions into Endpoint Client for Sandblast, did I goof?

No that should work, you probably need to engage with TAC who will have to the tools to figure out why your emulation rate is so high.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Hello Dan,

Could you figure out why your TE was not bypassing the exception?

Regards

I’m having issues with TE\TX and not being able to add exceptions for specific sites. The issue I’m experiencing is mainly down to the time it is taking for emulation to complete. As an example, a 200K PDF is taking between 8-12 minutes to complete which is not ideal (Cloud Emulation not on prem).

I have tried adding exceptions to the threat prevention policy although this doesn’t not appear to work. It would be amazing if this worked or if there was functionality to bypass specific sites or utilise the application control objects within the threat preventions policy.

If anyone has any working exceptions then please holla.

Thanks
Matt

Our Endpoint Client is randomly ignoring "Disable Threat Emulation" settings in the Policy tab. 

What in god's name is going on? 

I am seeing the sandblast add-in for browsers getting instantiated in Chrome and the CPEP overview dialog box shows Threat Emulation and Anti-Exploit as ON, then off again.

Threat Emulation plugin shows up in the browser UI in Chrome and all PDFs are being emulated on download attempt even if you are going to the same link and downloading the same file again.

I tried upgrading the client to the latest version and re-pushed policy and it is still happening. inconsistently but often 

Endpoint is Killin me....  It's always seeming to want to drive me batty.

Client OS is Windows 10 1909 with CPEP Client 82.10 installed 

Management Server is running 80.30 Gaia 3.10 Jumbo Hotfix Accumulator for Security Management (Take 111) and Smart Console / Smart Endpoint console is build 36.

I don't want to have to push out a deployment rule to remove the blade completely but that seems to be the only option. 

I will try enabling the blade in policy and using exceptions to see if maybe that works now, because it never did before

Emulation seems to be happening with Chrome most of the time, and IE 11 not so much.

The particular use case I am testing this on is when Chrome is the default Web browser and you click on a link in an email in Outlook 2013 Pro Plus. 

I have another end user who has IE as the default browser, and he was still seeing emulation happening, though he is in a policy rule which disables Threat Emulation completely as well.

This is problematic because we have a Citrix Workspace based web application we need to use to reach our invenstment bankng account managment system at UBS and it breaks the ability for the ConsultWorks app to launch the .ica file that launches it once you log into the portal.

😞

I am working with TAC, and I am told that E82.20 client fixes the behavior.

I am deploying new workstations with that client now and will report back to TAC and here if this is indeed fixed.